Closed
Bug 1459357
(corb)
Opened 7 years ago
Closed 2 years ago
Cross-Origin Read Blocking (CORB)
Categories
(Core :: DOM: Core & HTML, enhancement, P3)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
WONTFIX
Fission Milestone | Future |
People
(Reporter: lukasza, Unassigned)
References
(Blocks 3 open bugs)
Details
(Whiteboard: [sp3])
Cross-origin read blocking, better known as CORB, is an algorithm by which dubious cross-origin resource fetches are identified and blocked before they reach a web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks.
More info:
- Explainer: https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
- WhatWG issue: https://github.com/whatwg/fetch/issues/681
- PR for Fetch spec changes: https://github.com/whatwg/fetch/pull/686
- Initial public support from Firefox: https://groups.google.com/a/chromium.org/forum/#!msg/site-isolation-dev/pp5C8XKz7AI/2zNOn-S_BgAJ
Updated•7 years ago
|
Mentor: annevk
Updated•7 years ago
|
Alias: corb
Comment 1•7 years ago
|
||
FYI: I'm about to land the Fetch PR. It standardizes all the bits of CORB that can be implemented without sniffing the response. Tests can be found in fetch/corb in web-platform-tests.
Updated•6 years ago
|
Component: Security → DOM
Updated•6 years ago
|
Priority: -- → P3
Updated•6 years ago
|
Fission Milestone: --- → Future
Comment 2•6 years ago
|
||
I'm no longer convinced we should do this. Bug 1532642 is a much more secure approach that seems doable.
Assignee | ||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
Updated•2 years ago
|
Severity: normal → S3
Comment 3•2 years ago
|
||
We're doing bug 1532642 , not this one.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
Updated•2 years ago
|
Whiteboard: [sp3]
Updated•2 years ago
|
See Also: → https://mozilla-hub.atlassian.net/browse/SP3-77
You need to log in
before you can comment on or make changes to this bug.
Description
•