Opaque Response Blocking (ORB) is a replacement for Cross-Origin Read Blocking (CORB - https://chromestatus.com/feature/5629709824032768). CORB and ORB are both heuristics that attempt to prevent cross-origin disclosure of “no-cors” subresources. This entry tracks v0.1 of ORB - Chrome's first step toward full ORB implementation. For interop web authors should check Content-Type headers of their resources and indicate multimedia content when needed (e.g. audio/*, application/dash+xml, etc).

Motivation

ORBv0.1 is an incremental step toward full ORB compliance (i.e. a step toward cross-browser compatibility). ORBv0.1 offers incremental security benefits compared to CORB. ORB v0.1 still fails open like CORB and unlike full ORB, but protects more responses: *) CORB blocks responses that contain HTML and XML only if they are labeled with HTML mime type or XML mime type. ORBv0.1 blocks responses that contain HTML and XML even if they are mislabeled (e.g. HTML served as application/octet-stream, or XML served as text/html). *) CORB blocks range request responses only if they are labeled with HTML, JSON, or XML mime type. ORBv0.1 blocks all range request responses, unless they come from a URL that ORBv0.1 has earlier recognized (via sniffing, or via mime type) as audio or video.

Specification

Specification link


Proposal in a personal repository, no adoption from community

Status in Chromium

Internals>Sandbox>SiteIsolation


In developer trial (Behind a flag) (tracking bug)

Consensus & Standardization

After a feature ships in Chrome, the values listed here are not guaranteed to be up to date.

  • In development
  • No signal
  • No signals

Owners

Comments

ORB has been proposed by Firefox as the next, improved version of CORB. CORB is covered by Fetch spec, but it is only implemented by Chrome today. Both Chrome and Firefox work on implementing ORB.

Last updated on 2022-05-05