Protect `application/x-protobuffer` from speculative execution attacks by adding it to the list of never sniffed MIME types used by Cross-Origin-Read-Blocking. `application/x-protobuf` is already protected as a never sniffed mime type. `application/x-protobuffer` is another commonly used MIME type that is defined as an "ALT_CONTENT_TYPE" by the protobuf library. See the original Intent to Implement and Ship notice for CORB here: https://groups.google.com/a/chromium.org/g/blink-dev/c/hnA
If a website includes a cross-origin resource via either `<script>` or `<img>` and the content type is set to `application/x-protobuffer` then CORB will block the response. The most common protobuf MIME type (`application/x-protobuf`) is already blocked by CORB so we expect this to break very few (if any) endpoints.
Contact emails
ddwo...@google.comExplainer
NoneSpecification
https://www.chromium.org/Home/chromium-security/corb-for-developersSummary
Protect `application/x-protobuffer` from speculative execution attacks by adding it to the list of never sniffed MIME types used by Cross-Origin-Read-Blocking. `application/x-protobuf` is already protected as a never sniffed mime type. `application/x-protobuffer` is another commonly used MIME type that is defined as an "ALT_CONTENT_TYPE" by the protobuf library. See the original Intent to Implement and Ship notice for CORB here: https://groups.google.com/a/chromium.org/g/blink-dev/c/hnA
Blink component
Blink>SecurityFeatureTAG review
Not necessary because this is just adding one additional MIME type to the CORB listTAG review status
Not applicableRisks
Interoperability and Compatibility
If a website includes a cross-origin resource via either `<script>` or `<img>` and the content type is set to `application/x-protobuffer` then CORB will block the response. The most common protobuf MIME type (`application/x-protobuf`) is already blocked by CORB so we expect this to break very few (if any) endpoints.
Gecko: Positive (https://github.com/annevk/orb/pull/17)
On Friday, February 5, 2021 at 12:11:24 AM UTC+1 David Dworken wrote:Contact emails
ddwo...@google.comExplainer
NoneSpecification
https://www.chromium.org/Home/chromium-security/corb-for-developersSummary
Protect `application/x-protobuffer` from speculative execution attacks by adding it to the list of never sniffed MIME types used by Cross-Origin-Read-Blocking. `application/x-protobuf` is already protected as a never sniffed mime type. `application/x-protobuffer` is another commonly used MIME type that is defined as an "ALT_CONTENT_TYPE" by the protobuf library. See the original Intent to Implement and Ship notice for CORB here: https://groups.google.com/a/chromium.org/g/blink-dev/c/hnA
Blink component
Blink>SecurityFeatureTAG review
Not necessary because this is just adding one additional MIME type to the CORB listTAG review status
Not applicableRisks
Interoperability and Compatibility
If a website includes a cross-origin resource via either `<script>` or `<img>` and the content type is set to `application/x-protobuffer` then CORB will block the response. The most common protobuf MIME type (`application/x-protobuf`) is already blocked by CORB so we expect this to break very few (if any) endpoints.
Gecko: Positive (https://github.com/annevk/orb/pull/17)I don't believe that counts as support from Mozilla. See https://bit.ly/blink-signals
On Thursday, February 11, 2021 at 5:18:51 AM UTC-8 yo...@yoav.ws wrote:On Friday, February 5, 2021 at 12:11:24 AM UTC+1 David Dworken wrote:Contact emails
ddwo...@google.comExplainer
NoneSpecification
https://www.chromium.org/Home/chromium-security/corb-for-developersSummary
Protect `application/x-protobuffer` from speculative execution attacks by adding it to the list of never sniffed MIME types used by Cross-Origin-Read-Blocking. `application/x-protobuf` is already protected as a never sniffed mime type. `application/x-protobuffer` is another commonly used MIME type that is defined as an "ALT_CONTENT_TYPE" by the protobuf library. See the original Intent to Implement and Ship notice for CORB here: https://groups.google.com/a/chromium.org/g/blink-dev/c/hnA
Blink component
Blink>SecurityFeatureTAG review
Not necessary because this is just adding one additional MIME type to the CORB listTAG review status
Not applicableRisks
Interoperability and Compatibility
If a website includes a cross-origin resource via either `<script>` or `<img>` and the content type is set to `application/x-protobuffer` then CORB will block the response. The most common protobuf MIME type (`application/x-protobuf`) is already blocked by CORB so we expect this to break very few (if any) endpoints.
Gecko: Positive (https://github.com/annevk/orb/pull/17)I don't believe that counts as support from Mozilla. See https://bit.ly/blink-signalsThe unfortunate current state is that 1) CORB is only implemented in Chromium and 2) only part of CORB is covered by https://fetch.spec.whatwg.org/. Hopefully this can change once Chromium and Firefox experiment with CORB's alternative: ORB (https://github.com/annevk/orb) and decide based in these experiments whether to proceed with one or the other (I am currently working on UMA covering subset of ORB and hope to land it in M90; AFAIK Firefox is actively implementing full ORB). Given this, I hope that you can excuse not covering `application/x-protobuffer` anywhere other than https://github.com/annevk/orb/pull/17.
I think that the current state (while indeed unfortunate and undesirable in the long-term) is well justified in the short-term:
- One reason why CORB is right now a Chromium-only feature is because CORB is not a strong defense in absence of OOPIFs (out-of-process iframes). As OOPIFs are worked on in other browsers (e.g. project Fusion in Firefox) they will have to adopt CORB (or ORB) to get full security benefits - this gives us an opportunity to align (and as pointed out above, we _are_ talking with Firefox about their ORB experiments).
- As pointed out in the original intent-to-ship for CORB (see here), it's border line whether this is even a web facing change. CORB *is* web observable, but the effects of CORB are only visible in corner-cases (incorrect Content-Type): sometimes only visible to end-users (CORB blocked and therefore misrendered images)
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/b64ece7e-7eba-408e-a361-62a820fcbbfan%40chromium.org.
I think that the current state (while indeed unfortunate and undesirable in the long-term) is well justified in the short-term:
- One reason why CORB is right now a Chromium-only feature is because CORB is not a strong defense in absence of OOPIFs (out-of-process iframes). As OOPIFs are worked on in other browsers (e.g. project Fusion in Firefox) they will have to adopt CORB (or ORB) to get full security benefits - this gives us an opportunity to align (and as pointed out above, we _are_ talking with Firefox about their ORB experiments).
Encouraging to hear about the conversations with Mozilla!
- As pointed out in the original intent-to-ship for CORB (see here), it's border line whether this is even a web facing change. CORB *is* web observable, but the effects of CORB are only visible in corner-cases (incorrect Content-Type): sometimes only visible to end-users (CORB blocked and therefore misrendered images)
Do we maintain the dimensions the image would have if not for CORB in such cases? If not, it's also web observable.
I will always object to any stardardization of any mime type beginning with x-. If it is to be added to the browser mime-types, it is worth the effort to get rid of the "x-".Be the change you want to see in the world ..tom
You received this message because you are subscribed to a topic in the Google Groups "blink-dev" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/blink-dev/87Q-8hjVtLE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAK2Cwb5p-cFF2ETSaUWmPViGeKkoXcNuJvDv8n%3DXPvh04Vc3og%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAKXHy%3DdZ6HT%2BkrQKG_cBvVW4KNxparTOsCMxmFp5H_jbDCGJFQ%40mail.gmail.com.