The patches just made it to the mozilla-central. Again, any blocked request will be logged in to the browser console as The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof), and the feature can be toggled by *browser.opaqueResponseBlocking*. So Please file bugs and needinfo 'sefeng' if anything breaks.
Thanks, Sean Feng On Wed, Oct 26, 2022 at 3:09 PM Sean Feng <[email protected]> wrote: > Summary: Opaque Response Blocking (ORB) is a heuristic which intends to > block no-cors cross-origin requests to prevent those requests from being > read by Spectre attack while remaining web compatible. > > This is partially implemented because it lacks the Javascript validation > stuff such that we want to block JSON responses while allowing Javascript > to pass through, however we haven't finished the implementation for this > part yet. > > Any blocked request will be logged in to the browser console. eg: > The resource at <resource url> was blocked due to its > Cross-Origin-Resource-Sharing header (or lack thereof) > So please file a bug if you experience site breakage and see some requests > are blocked by ORB. > > Bug: > - Initial implementation setups the framework: > https://bugzilla.mozilla.org/show_bug.cgi?id=1696111 > - The bug which enables the above implementation: > https://bugzilla.mozilla.org/show_bug.cgi?id=1785331 > > Specification: https://github.com/annevk/orb > > Standards Body: There's a PR open which has the actual changes to the > Fetch spec: https://github.com/whatwg/fetch/pull/1442 > > Platform coverage: All > > Preference: This feature can be turned off by setting > *browser.opaqueResponseBlocking* to *false* > > Other browsers: Chrome has ORBv0.1 > <https://groups.google.com/a/chromium.org/g/blink-dev/c/ScjhKz3Z6U4/m/5i_0V7ogAwAJ> > shipped in 105. > > web-platform-tests: No WPTs yet. We have added the initial batch of tests > in https://bugzilla.mozilla.org/show_bug.cgi?id=1785331. We have also > been relying on all other existing tests for remaining web compatibility. > > I'll bump this email again once the patches land. > > Thanks, > Sean Feng > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-platform/CALKhkhbWoSxP1Jz2NE8N_EvYeAk-aRaw%3DdBAtz9HhUvVUxEAQw%40mail.gmail.com.
