Browser - Cross-Origin Read Blocking (CORB)

About

Cross-Origin Read Blocking (CORB) is a security feature that prevents the contents of a resource from ever entering the memory of the renderer process memory based on its MIME type.

The main motivation behind CORB is to give malicious web page a hard time pulling cross-site resource into its process to steal.

Articles Related

Process

CORB prevents the renderer process from receiving a cross-origin data resource (i.e. HTML, XML, or JSON) if:

• CORS doesn’t explicitly allow access to the resource
• the resource has an X-Content-Type-Options: nosniff header. Otherwise, CORB attempts to sniff the response body to determine whether it’s HTML, XML, or JSON. (to prevent server misconfiguration that serve images as text/html, for example)

Blocked = Empty

Data resources that are blocked by the CORB policy are presented to the process as empty, although the request does still happen in the background. a

Configuration

To prevent CORB:

• Mark responses with the correct Content-Type header.
• Opt out of sniffing by using the X-Content-Type-Options: nosniff header. Without this header, Chrome does do a quick content analysis to try to confirm that the type is correct

Documentation / Reference

• CORB for web developers article
• in-depth CORB explainer
• https://developers.google.com/web/updates/2018/07/site-isolation