On 2022-03-24 08:04, Anne van Kesteren wrote: > On Wed, Mar 23, 2022 at 6:19 PM Patrick Griffis via webkit-dev > <webkit-dev@lists.webkit.org> wrote: >> I'd like a position on CORB and intend to implement it in the future. >> This is already part of the Fetch Standard[0] and should be relatively >> straightforward. >> >> It effectively blocks cross-origin requests for resources they don't >> make sense in their context. For example an `img` element should never >> get a response that contains HTML and in that case will not return the >> HTML data. This can prevent unintentional data leaks. >> >> This is implemented by Chromium for years now and I don't believe will >> be invasive. >> >> [0] https://fetch.spec.whatwg.org/#corb > > I'd recommend against this, for these reasons: > > 1. Both Chromium and Gecko are working on > https://github.com/annevk/orb as initially discussed at > https://github.com/whatwg/fetch/issues/721. When done this would > replace CORB. > 2. CORB as specified in Fetch is a subset of what Chromium implements. > Various aspects, such as sniffing, are not specified. > 3. What Chromium implements has also changed over time and Fetch > hasn't been updated.
Thanks for the input. My intention was to implement the sniffing that Chromium does which, while not part of the spec, is somewhat documented[0]. I believe directly going to ORB and skipping CORB is not a bad idea and something I could work on if that is the preferred spec. [0] https://chromium.googlesource.com/chromium/src/+/HEAD/services/network/cross_origin_read_blocking_explainer.md _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev