Opaque Response Blocking (ORB) is a replacement for Cross-Origin Read Blocking (CORB - https://chromestatus.com/feature/5629709824032768). CORB and ORB are both heuristics that attempt to prevent cross-origin disclosure of “no-cors” subresources. This entry tracks v0.1 of ORB - Chrome's first step toward full ORB implementation. For interop web authors should check Content-Type headers of their resources and indicate multimedia content when needed (e.g. audio/*, application/dash+xml, etc).
ORBv0.1 is an incremental step toward full ORB compliance (i.e. a step toward cross-browser compatibility). ORBv0.1 offers incremental security benefits compared to CORB. ORB v0.1 still fails open like CORB and unlike full ORB, but protects more responses: *) CORB blocks responses that contain HTML and XML only if they are labeled with HTML mime type or XML mime type. ORBv0.1 blocks responses that contain HTML and XML even if they are mislabeled (e.g. HTML served as application/octet-stream, or XML served as text/html). *) CORB blocks range request responses only if they are labeled with HTML, JSON, or XML mime type. ORBv0.1 blocks all range request responses, unless they come from a URL that ORBv0.1 has earlier recognized (via sniffing, or via mime type) as audio or video.
Proposal in a personal repository, no adoption from community
Status in Chromium
In developer trial (Behind a flag)
Consensus & Standardization
- In development
- No signal
- No signals
Last updated on 2022-05-05