Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove CORB #1441

Merged
merged 1 commit into from
May 25, 2022
Merged

Remove CORB #1441

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
79 changes: 4 additions & 75 deletions fetch.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3547,61 +3547,6 @@ X-Content-Type-Options = "nosniff" ; case-insensitive
pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content.


<h3 id=corb>CORB</h3>

<p class="note">Cross-origin read blocking, better known as CORB, is an algorithm which identifies
dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render
JSON inside an <code>img</code> element) and blocks them before they reach a web page. CORB reduces
the risk of leaking sensitive data by keeping it further from cross-origin web pages.

<p>A <dfn>CORB-protected MIME type</dfn> is an <a>HTML MIME type</a>, a <a>JSON MIME type</a>, or an
<a>XML MIME type</a> excluding <code>image/svg+xml</code>.

<p class="note no-backref">Even without CORB, accessing the content of cross-origin resources with
<a>CORB-protected MIME types</a> is either managed by the <a>CORS protocol</a> (e.g., in case of
{{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the
response), or would result in an error (e.g., when failing to decode an HTML document embedded in an
<code>img</code> element as an image). This means that CORB can block
<a>CORB-protected MIME types</a> resources without being disruptive to web pages.

<p>To perform a <dfn noexport>CORB check</dfn>, given a <var>request</var> and <var>response</var>,
run these steps:</p>

<ol>
<li>
<p>If <var>request</var>'s <a for=request>initiator</a> is "<code>download</code>", then return
<b>allowed</b>.

<p class=XXX>If we recast downloading as navigation this step can be removed.

<li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
<a>HTTP(S) scheme</a>, then return <b>allowed</b>.

<li><p>Let <var>mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
from <var>response</var>'s <a for=response>header list</a>.

<li><p>If <var>mimeType</var> is failure, then return <b>allowed</b>.

<li><p>If <var>response</var>'s <a for=response>status</a> is 206 and <var>mimeType</var> is a
<a>CORB-protected MIME type</a>, then return <b>blocked</b>.

<li>
<p>If <a>determine nosniff</a> with <var>response</var>'s <a for=response>header list</a> is true
and <var>mimeType</var> is a <a>CORB-protected MIME type</a> or its <a for="MIME type">essence</a>
is "<code>text/plain</code>", then return <b>blocked</b>.

<p class="note no-backref">CORB only protects <code>text/plain</code> responses with a
`<code>X-Content-Type-Options: nosniff</code>` header. Unfortunately, protecting such responses
without that header when their <a for=response>status</a> is 206 would break too many existing
video responses that have a <code>text/plain</code> <a for=/>MIME type</a>.

<!-- TODO: MIME type confirmation sniffing -->
<!-- TODO: JSON security prefix sniffing -->

<li><p>Return <b>allowed</b>.
</ol>


<h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>

<p>The
Expand Down Expand Up @@ -4119,35 +4064,19 @@ steps:
<a>HTTP(S) scheme</a>.
[[!HTML]] [[!SW]]

<dt><var>request</var>'s <a for=request>mode</a> is
"<code>same-origin</code>"
<dt><var>request</var>'s <a for=request>mode</a> is "<code>same-origin</code>"
<dd><p>Return a <a>network error</a>.

<dt><var>request</var>'s <a for=request>mode</a> is
"<code>no-cors</code>"
<dt><var>request</var>'s <a for=request>mode</a> is "<code>no-cors</code>"
<dd>
<ol>
<li><p>If <var>request</var>'s <a for=request>redirect mode</a> is not "<code>follow</code>",
then return a <a>network error</a>.

<li><p>Set <var>request</var>'s
<a for=request>response tainting</a> to
"<code>opaque</code>".
<li><p>Set <var>request</var>'s <a for=request>response tainting</a> to "<code>opaque</code>".

<li><p>Let <var>noCorsResponse</var> be the result of running <a>scheme fetch</a> given
<var>fetchParams</var>.
<li><p>Return the result of running <a>scheme fetch</a> given <var>fetchParams</var>.
<!-- file URLs end up here as they are not same-origin typically. -->

<li><p>If <var>noCorsResponse</var> is a <a>filtered response</a> or the <a>CORB check</a> with
<var>request</var> and <var>noCorsResponse</var> returns <b>allowed</b>, then return
<var>noCorsResponse</var>.

<li>
<p>Return a new <a for=/>response</a> whose <a for=response>status</a> is
<var>noCorsResponse</var>'s <a for=response>status</a>.

<p class="warning">This is only an effective defense against side channel attacks if
<var>noCorsResponse</var> is kept isolated from the process that initiated the request.
</ol>

<dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
Expand Down