About
Cross-Origin Read Blocking (CORB) is a security feature that prevents the contents of a resource from ever entering the memory of the renderer process memory based on its MIME type.
The main motivation behind CORB is to give malicious web page a hard time pulling cross-site resource into its process to steal.
Articles Related
Process
CORB prevents the renderer process from receiving a cross-origin data resource (i.e. HTML, XML, or JSON) if:
- CORS doesn’t explicitly allow access to the resource
- the resource has an X-Content-Type-Options: nosniff header. Otherwise, CORB attempts to sniff the response body to determine whether it’s HTML, XML, or JSON. (to prevent server misconfiguration that serve images as text/html, for example)
Blocked = Empty
Data resources that are blocked by the CORB policy are presented to the process as empty, although the request does still happen in the background. a
Configuration
To prevent CORB:
- Mark responses with the correct Content-Type header.
- Opt out of sniffing by using the X-Content-Type-Options: nosniff header. Without this header, Chrome does do a quick content analysis to try to confirm that the type is correct