Skip to content

Commit

Permalink
Remove CORB
Browse files Browse the repository at this point in the history
It's not implemented as specified and only has one interested implementer.

Closes #681. Closes #727. Closes #778.
  • Loading branch information
annevk authored May 25, 2022
1 parent 80c38ca commit 78f9bdd
Showing 1 changed file with 4 additions and 75 deletions.
79 changes: 4 additions & 75 deletions fetch.bs
Original file line number Diff line number Diff line change
Expand Up @@ -3552,61 +3552,6 @@ X-Content-Type-Options = "nosniff" ; case-insensitive
pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content.


<h3 id=corb>CORB</h3>

<p class="note">Cross-origin read blocking, better known as CORB, is an algorithm which identifies
dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render
JSON inside an <code>img</code> element) and blocks them before they reach a web page. CORB reduces
the risk of leaking sensitive data by keeping it further from cross-origin web pages.

<p>A <dfn>CORB-protected MIME type</dfn> is an <a>HTML MIME type</a>, a <a>JSON MIME type</a>, or an
<a>XML MIME type</a> excluding <code>image/svg+xml</code>.

<p class="note no-backref">Even without CORB, accessing the content of cross-origin resources with
<a>CORB-protected MIME types</a> is either managed by the <a>CORS protocol</a> (e.g., in case of
{{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the
response), or would result in an error (e.g., when failing to decode an HTML document embedded in an
<code>img</code> element as an image). This means that CORB can block
<a>CORB-protected MIME types</a> resources without being disruptive to web pages.

<p>To perform a <dfn noexport>CORB check</dfn>, given a <var>request</var> and <var>response</var>,
run these steps:</p>

<ol>
<li>
<p>If <var>request</var>'s <a for=request>initiator</a> is "<code>download</code>", then return
<b>allowed</b>.

<p class=XXX>If we recast downloading as navigation this step can be removed.

<li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
<a>HTTP(S) scheme</a>, then return <b>allowed</b>.

<li><p>Let <var>mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
from <var>response</var>'s <a for=response>header list</a>.

<li><p>If <var>mimeType</var> is failure, then return <b>allowed</b>.

<li><p>If <var>response</var>'s <a for=response>status</a> is 206 and <var>mimeType</var> is a
<a>CORB-protected MIME type</a>, then return <b>blocked</b>.

<li>
<p>If <a>determine nosniff</a> with <var>response</var>'s <a for=response>header list</a> is true
and <var>mimeType</var> is a <a>CORB-protected MIME type</a> or its <a for="MIME type">essence</a>
is "<code>text/plain</code>", then return <b>blocked</b>.

<p class="note no-backref">CORB only protects <code>text/plain</code> responses with a
`<code>X-Content-Type-Options: nosniff</code>` header. Unfortunately, protecting such responses
without that header when their <a for=response>status</a> is 206 would break too many existing
video responses that have a <code>text/plain</code> <a for=/>MIME type</a>.

<!-- TODO: MIME type confirmation sniffing -->
<!-- TODO: JSON security prefix sniffing -->

<li><p>Return <b>allowed</b>.
</ol>


<h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>

<p>The
Expand Down Expand Up @@ -4125,35 +4070,19 @@ steps:
<a>HTTP(S) scheme</a>.
[[!HTML]] [[!SW]]

<dt><var>request</var>'s <a for=request>mode</a> is
"<code>same-origin</code>"
<dt><var>request</var>'s <a for=request>mode</a> is "<code>same-origin</code>"
<dd><p>Return a <a>network error</a>.

<dt><var>request</var>'s <a for=request>mode</a> is
"<code>no-cors</code>"
<dt><var>request</var>'s <a for=request>mode</a> is "<code>no-cors</code>"
<dd>
<ol>
<li><p>If <var>request</var>'s <a for=request>redirect mode</a> is not "<code>follow</code>",
then return a <a>network error</a>.

<li><p>Set <var>request</var>'s
<a for=request>response tainting</a> to
"<code>opaque</code>".
<li><p>Set <var>request</var>'s <a for=request>response tainting</a> to "<code>opaque</code>".

<li><p>Let <var>noCorsResponse</var> be the result of running <a>scheme fetch</a> given
<var>fetchParams</var>.
<li><p>Return the result of running <a>scheme fetch</a> given <var>fetchParams</var>.
<!-- file URLs end up here as they are not same-origin typically. -->

<li><p>If <var>noCorsResponse</var> is a <a>filtered response</a> or the <a>CORB check</a> with
<var>request</var> and <var>noCorsResponse</var> returns <b>allowed</b>, then return
<var>noCorsResponse</var>.

<li>
<p>Return a new <a for=/>response</a> whose <a for=response>status</a> is
<var>noCorsResponse</var>'s <a for=response>status</a>.

<p class="warning">This is only an effective defense against side channel attacks if
<var>noCorsResponse</var> is kept isolated from the process that initiated the request.
</ol>

<dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
Expand Down

0 comments on commit 78f9bdd

Please sign in to comment.