On Wed, Mar 23, 2022 at 6:19 PM Patrick Griffis via webkit-dev <webkit-dev@lists.webkit.org> wrote: > I'd like a position on CORB and intend to implement it in the future. > This is already part of the Fetch Standard[0] and should be relatively > straightforward. > > It effectively blocks cross-origin requests for resources they don't > make sense in their context. For example an `img` element should never > get a response that contains HTML and in that case will not return the > HTML data. This can prevent unintentional data leaks. > > This is implemented by Chromium for years now and I don't believe will > be invasive. > > [0] https://fetch.spec.whatwg.org/#corb
I'd recommend against this, for these reasons: 1. Both Chromium and Gecko are working on https://github.com/annevk/orb as initially discussed at https://github.com/whatwg/fetch/issues/721. When done this would replace CORB. 2. CORB as specified in Fetch is a subset of what Chromium implements. Various aspects, such as sniffing, are not specified. 3. What Chromium implements has also changed over time and Fetch hasn't been updated. _______________________________________________ webkit-dev mailing list webkit-dev@lists.webkit.org https://lists.webkit.org/mailman/listinfo/webkit-dev
