Cross-Origin Read Blocking for Web Developers
Cross-Origin Read Blocking (CORB) is a new web platform security feature that helps mitigate the threat of side-channel attacks (including Spectre). It is designed to prevent the browser from delivering certain cross-origin network responses to a web page, when they might contain sensitive information and are not needed for existing web features. For example, it will block a cross-origin text/html response requested from a <script> or <img> tag, replacing it with an empty response instead. This is an important part of the protections included with Site Isolation.
This document aims to help web developers know what actions they should take in response to CORB. For more information about CORB in general, please see the CORB explainer, the specification, the "Site Isolation for web developers" article, or the following talk from Google I/O 2018. (The CORB discussion starts at around 23:20 mark.)
Make sure these resources are served with a correct "Content-Type" response header from the list below, as well as a "X-Content-Type-Options: nosniff" response header. These headers ensure Chrome can identify the resources as needing protection, without depending on the contents of the resources.
- HTML MIME type - "text/html"
- XML MIME type - "text/xml", "application/xml", or any MIME type whose subtype ends in "+xml"
- JSON MIME type - "text/json", "application/json", or any MIME type whose subtype ends in "+json"
Note that we recommend not supporting multipart range requests for sensitive resources, because this changes the MIME type to multipart/byteranges and makes it harder for Chrome to protect. Typical range requests are not a problem and are treated similarly to the nosniff case.
Make sure these resources are served only in response to requests that include an unguessable CSRF token (which should be distributed via resources protected via the HTML, JSON, or XML steps above).
When CORB blocks a HTTP response, it emits the following warning message to the DevTools console in Chrome:
Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.example.com/example.html with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
(In Chrome 66 and earlier, this message was slightly different: Blocked current origin from receiving cross-site document at https://www.example.com/example.html with MIME type text/html.)
In most cases, the blocked response should not affect the web page's behavior and the CORB error message can be safely ignored. For example, the warning may occur in cases when the body of the blocked response was empty already, or when the response was going to be delivered to a context that can't handle it (e.g., a HTML document such as a 404 error page being delivered to an <img> tag). Note: Chrome will stop showing warning messages for empty or error responses in Chrome 69, since these are false positives that do not affect site behavior. If you see CORB warnings in Chrome 67 or 68, please test the site in Chrome 69 to see if any warnings remain.
In rare cases, the CORB warning message may indicate a problem on a website, which may disrupt its behavior when certain responses are blocked. For example, a response served with a "X-Content-Type-Options: nosniff" response header and an incorrect "Content-Type" response header may be blocked. This could, for example, block an actual image which is mislabeled as "Content-Type: text/html" and "nosniff." If this occurs and interferes with a page's behavior, we recommend informing the website and requesting that they correct the "Content-Type" header for the response.
If you suspect Chrome is incorrectly blocking a response and that this is disrupting the behavior of a website, please file a Chromium bug describing the incorrectly blocked response (both the headers and body) and/or the URL serving it. You can confirm if a problem is due to CORB by temporarily disabling it, by starting Chrome with the following command line flag: