Browser - Cross-Origin Read Blocking (CORB)

> (World Wide) Web - (W3|WWW) > Web - Browser

1 - About

Cross-Origin Read Blocking (CORB) is a security feature that prevents the contents of a resource from ever entering the memory of the renderer process memory based on its MIME type.

The main motivation behind CORB is to give malicious web page a hard time pulling cross-site resource into its process to steal.

3 - Process

CORB prevents the renderer process from receiving a cross-origin data resource (i.e. HTML, XML, or JSON) if:

  • CORS doesn’t explicitly allow access to the resource
  • the resource has an X-Content-Type-Options: nosniff header. Otherwise, CORB attempts to sniff the response body to determine whether it’s HTML, XML, or JSON. (to prevent server misconfiguration that serve images as text/html, for example)
Advertising

4 - Blocked = Empty

Data resources that are blocked by the CORB policy are presented to the process as empty, although the request does still happen in the background. a

5 - Configuration

To prevent CORB:

  • Mark responses with the correct Content-Type header.
  • Opt out of sniffing by using the X-Content-Type-Options: nosniff header. Without this header, Chrome does do a quick content analysis to try to confirm that the type is correct

6 - Documentation / Reference

web/browser/corb.txt · Last modified: 2019/04/14 14:25 by gerardnico