Have you seen this type of console warning in your browser console ?
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://example.com/sub with MIME type application/json. You may be familiar with CORS, but what is CORB ?
First of all, what is CORS ?
<script src="https://domain-b.com/example.js"></script> will fail to load in a browser.
If the server responds with
Access-Control-Allow-Origin: *, it means that the resources of domain-a.com can be accessed by any origin. Using wildcard relaxes the security offered by CORS allowing XSS attacks and is therefore not recommended.
It's also important to add the
Vary: Origin header to eliminate caching. Without this header, it can lead to cache poisoning/DNS spoofing attacks, which attackers can use to redirect traffic to malicious hosts.
Read further MDN Web Docs: Cross-Origin Resource Sharing (CORS)
HackTricks: CORS - Misconfigurations & Bypass
What is CORB ?
There are two types of data that can be requested from a server:
data resources such as HTML, XML, or JSON documents and
With CORS headers
Access-Control-Allow-Origin: * a website can access cross-origin data resources, whereas media resources can be included from any origin, even without permissive CORS headers.
Cross-Origin Read Blocking (CORB) prevents the browser from receiving a cross-origin data resource if it has an
X-Content-Type-Options: nosniff or if CORS doesn’t explicitly allow access to the resource.
X-Content-Type-Options is an HTTP response header used by the server which specifies the MIME types (such as text, font and models) that the
Content-Type headers should strictly follow. It allows you to avoid MIME type sniffing.)
A malicious web page could use an
<script> element to load a JSON file with sensitive data, like your bank balance and commit the sensitive data to memory:
<script src="https://your-bank.example/balance.json" />
CORB along with Site isolation protection prevents the above contents of balance.json from ever entering the memory of the renderer process memory based on its MIME type defending against attacks such as Cross-Site Script Inclusion (XSSI) and Speculative Side Channel Attack (e.g. Spectre).
For optimal security and to benefit from CORB, the responses should be marked with the correct
Read further CORB explainer
CORB for developers
Oldest comments (0)