Browser - Cross-Origin Read Blocking (CORB)



Cross-Origin Read Blocking (CORB) is a security feature that prevents the contents of a resource from ever entering the memory of the renderer process memory based on its MIME type.

The main motivation behind CORB is to give malicious web page a hard time pulling cross-site resource into its process to steal.


CORB prevents the renderer process from receiving a cross-origin data resource (i.e. HTML, XML, or JSON) if:

  • CORS doesn’t explicitly allow access to the resource
  • the resource has an X-Content-Type-Options: nosniff header. Otherwise, CORB attempts to sniff the response body to determine whether it’s HTML, XML, or JSON. (to prevent server misconfiguration that serve images as text/html, for example)

Blocked = Empty

Data resources that are blocked by the CORB policy are presented to the process as empty, although the request does still happen in the background. a


To prevent CORB:

  • Mark responses with the correct Content-Type header.
  • Opt out of sniffing by using the X-Content-Type-Options: nosniff header. Without this header, Chrome does do a quick content analysis to try to confirm that the type is correct

Documentation / Reference

Discover More
Browser - Fetching Resources (Request/Response)

This article is fetching (http request/response) in the browser. User agents can implement a variety of transfer protocols to fetch resources such as: HTTP : , ... Form FTP ... rendering...

Share this page:
Follow us:
Task Runner