The main motivation behind CORB is to give malicious web page a hard time pulling cross-site resource into its process to steal.
- CORS doesn’t explicitly allow access to the resource
Blocked = Empty
Data resources that are blocked by the CORB policy are presented to the process as empty, although the request does still happen in the background. a
To prevent CORB:
- Opt out of sniffing by using the X-Content-Type-Options: nosniff header. Without this header, Chrome does do a quick content analysis to try to confirm that the type is correct