Summary: Opaque Response Blocking (ORB) is a heuristic which intends to block no-cors cross-origin requests to prevent those requests from being read by Spectre attack while remaining web compatible.
This is partially implemented because it lacks the Javascript validation stuff such that we want to block JSON responses while allowing Javascript to pass through, however we haven't finished the implementation for this part yet. Any blocked request will be logged in to the browser console. eg: The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof) So please file a bug if you experience site breakage and see some requests are blocked by ORB. Bug: - Initial implementation setups the framework: https://bugzilla.mozilla.org/show_bug.cgi?id=1696111 - The bug which enables the above implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1785331 Specification: https://github.com/annevk/orb Standards Body: There's a PR open which has the actual changes to the Fetch spec: https://github.com/whatwg/fetch/pull/1442 Platform coverage: All Preference: This feature can be turned off by setting *browser.opaqueResponseBlocking* to *false* Other browsers: Chrome has ORBv0.1 <https://groups.google.com/a/chromium.org/g/blink-dev/c/ScjhKz3Z6U4/m/5i_0V7ogAwAJ> shipped in 105. web-platform-tests: No WPTs yet. We have added the initial batch of tests in https://bugzilla.mozilla.org/show_bug.cgi?id=1785331. We have also been relying on all other existing tests for remaining web compatibility. I'll bump this email again once the patches land. Thanks, Sean Feng -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CALKhkhb2pGy2a4PVpxa%3DpkpzZX6hawVV6OPvVo5C-hDKBCSCng%40mail.gmail.com.
