Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.example.com/example.html with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
Contact emails:
luk...@chromium.org, cr...@chromium.org, voge...@chromium.org
Specification:
https://github.com/annevk/orb
Summary:
Opaque Response Blocking (ORB) is a replacement for Cross-Origin Read Blocking (CORB - https://chromestatus.com/feature/5629709824032768). CORB and ORB are both heuristics that attempt to prevent cross-origin disclosure of “no-cors” subresources. This entry tracks v0.1 of ORB - Chrome's first step toward full ORB implementation.
For interop web authors should check Content-Type headers of their resources and indicate multimedia content when needed (e.g. audio/*, application/dash+xml, etc).
Blink component:
Internals>Sandbox>SiteIsolation
TAG review status:
Not applicable
Interoperability and Compatibility Risk:
The backcompatibility risk of shipping ORB v0.1 seems low: less than 0.01% of all HTTP requests are at risk because they are blocked by ORB and not by CORB.
For more information, see the draft of the "Backcompatibility risks of ORBv0.1" and the "Managing the backcompatibility risk" sections at https://docs.google.com/document/d/1dO1NP6xchEiCN990zMczXcSvgcRzSnWBtAgflVBXoTg/edit?usp=sharing
Gecko: In development (https://bugzilla.mozilla.org/show_bug.cgi?id=1532642).
WebKit: No signal
Web developers: No signals
Other signals:
Ergonomics:
N/A (no public API)
Activation:
N/A
Security:
N/A
WebView application risks:
No known WebView-specific risks
Debuggability:
No changes compared to CORB - mostly relying on a DevTools console warning that gets emitted when CORB/ORB block a HTTP response.
Is this feature fully tested by web-platform-tests?
Not really…
CORB and ORBv0.1 do have coverage via wpt/fetch/corb but:
- CORB and ORBv0.1 are Chrome-only technologies (the latter is a step toward adopting the full, cross-browser ORB standard). And therefore right now wpt/fetch/corb are Chrome-specific tests.
- Covering full ORB will require significant refactoring of the tests - among other things we might need to change whether a blocked response is verified by checking for A) an empty response body VS B) a network/fetch error.
Flag name:
--enable-features=OpaqueResponseBlockingV01
Requires code in //chrome?:
False
Tracking bug:
https://crbug.com/1178928
Measurement:
Google-internal "ORB telemetry results - Mar 2022" doc can be found at https://docs.google.com/document/d/1MbYQbL4WQyZdCQcZcKyzxHA0UxbHTC0O4bQXFgm8o6A/edit?usp=sharing
Estimated milestones:
Shipping on desktop 103
Shipping on Android 103
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUH%3Df4KJK7F1rZ9PugP4O9kPQ%2BSzot0VjD6hyxZ%3Dqn_Bjw%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUGAOpNbCx-gZsttKo1cSGAoHugVJJBEjGrqA9AjQ1KtOw%40mail.gmail.com.
Hey Łukasz,I'm in favor of shipping this change. It will harden our defenses against side-channel attacks at minimal web-visible cost, and clear a path for a WebKit implementation that some folks have expressed interest in (see the CORB thread on webkit-dev@). That said, I have two questions:
- The ORB telemetry results - Mar 2022 document suggests a substantially smaller impact than the 0.01% number you mention a few times in this intent: 0.002% - 0.006% (it would be ideal if you could create a public version of that document :) ). Can you help me understand the distinctions between those measurements?
- The current specification situation is confusing. https://fetch.spec.whatwg.org/#corb doesn't match what Chrome does, and https://github.com/annevk/orb doesn't match what this v0.1 implementation does. Is there something we can point developers to which would explain Chrome's behavior once we ship this initial stab at ORB?
On Mon, May 9, 2022 at 11:35 PM Mike West <mk...@chromium.org> wrote:Hey Łukasz,I'm in favor of shipping this change. It will harden our defenses against side-channel attacks at minimal web-visible cost, and clear a path for a WebKit implementation that some folks have expressed interest in (see the CORB thread on webkit-dev@). That said, I have two questions:
- The ORB telemetry results - Mar 2022 document suggests a substantially smaller impact than the 0.01% number you mention a few times in this intent: 0.002% - 0.006% (it would be ideal if you could create a public version of that document :) ). Can you help me understand the distinctions between those measurements?
0.01% is just a conservative rounding of the 0.002%-0.006% numbers from the other doc. (Sorry about that... https://xkcd.com/2585/ seems somewhat applicable I guess...)
- The current specification situation is confusing. https://fetch.spec.whatwg.org/#corb doesn't match what Chrome does, and https://github.com/annevk/orb doesn't match what this v0.1 implementation does. Is there something we can point developers to which would explain Chrome's behavior once we ship this initial stab at ORB?
Hmmm... this is a fair point. We have some docs, but I am not sure if they are distilled/clear enough for public consumption. Notably, the "Gradual CORB -> ORB transition" doc talks about the main difference between full ORB and ORB v0.1 (JS sniffing -vs- HTML/JSON/XML sniffing) and also provides a fairly comprehensive list of other, minor differences is in the "Appendix: ORB v0.1 vs full ORB differences" section of the doc.But... I think that explaining Chrome behavior can be done by just referring to the full ORB spec. Chrome's ORB v0.1 blocks only a subset of resources that full ORB would block, but the ones that are blocked by Chrome can be explained by the full ORB algorithm (adding a disclaimer to that explanation as needed and pointing out that Chrome only implements a subset of the full ORB algorithm). Does that seem reasonable?
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUG3%2ByUxFwTnrA0ahvAuvfXP4%2BKhbMyhO9XPfpLySDF8jg%40mail.gmail.com.
On Wed, May 11, 2022 at 2:56 AM Łukasz Anforowicz <luk...@chromium.org> wrote:On Mon, May 9, 2022 at 11:35 PM Mike West <mk...@chromium.org> wrote:Hey Łukasz,I'm in favor of shipping this change. It will harden our defenses against side-channel attacks at minimal web-visible cost, and clear a path for a WebKit implementation that some folks have expressed interest in (see the CORB thread on webkit-dev@). That said, I have two questions:
- The ORB telemetry results - Mar 2022 document suggests a substantially smaller impact than the 0.01% number you mention a few times in this intent: 0.002% - 0.006% (it would be ideal if you could create a public version of that document :) ). Can you help me understand the distinctions between those measurements?
0.01% is just a conservative rounding of the 0.002%-0.006% numbers from the other doc. (Sorry about that... https://xkcd.com/2585/ seems somewhat applicable I guess...)Also, that number is presented as a percentage from HTTP requests. Do you have the data on how this presents itself as a percentage of page views?
If the majority of these requests are range requests, there's reason to believe there was more than one per page view.
- The current specification situation is confusing. https://fetch.spec.whatwg.org/#corb doesn't match what Chrome does, and https://github.com/annevk/orb doesn't match what this v0.1 implementation does. Is there something we can point developers to which would explain Chrome's behavior once we ship this initial stab at ORB?
Hmmm... this is a fair point. We have some docs, but I am not sure if they are distilled/clear enough for public consumption. Notably, the "Gradual CORB -> ORB transition" doc talks about the main difference between full ORB and ORB v0.1 (JS sniffing -vs- HTML/JSON/XML sniffing) and also provides a fairly comprehensive list of other, minor differences is in the "Appendix: ORB v0.1 vs full ORB differences" section of the doc.But... I think that explaining Chrome behavior can be done by just referring to the full ORB spec. Chrome's ORB v0.1 blocks only a subset of resources that full ORB would block, but the ones that are blocked by Chrome can be explained by the full ORB algorithm (adding a disclaimer to that explanation as needed and pointing out that Chrome only implements a subset of the full ORB algorithm). Does that seem reasonable?Another point on that front - we don't typically ship things that are specified in personal repos. While this case is somewhat different than the typical case (that is, it's not a personal repo of someone working on Chrome), it'd still be good to move the spec to a more official space, where more folks feel free to contribute to it.Have y'all talked to Anne about moving the repo to the WHATWG or to some incubation venue?
On Wed, May 11, 2022 at 12:24 AM Yoav Weiss <yoav...@chromium.org> wrote:On Wed, May 11, 2022 at 2:56 AM Łukasz Anforowicz <luk...@chromium.org> wrote:On Mon, May 9, 2022 at 11:35 PM Mike West <mk...@chromium.org> wrote:Hey Łukasz,I'm in favor of shipping this change. It will harden our defenses against side-channel attacks at minimal web-visible cost, and clear a path for a WebKit implementation that some folks have expressed interest in (see the CORB thread on webkit-dev@). That said, I have two questions:
- The ORB telemetry results - Mar 2022 document suggests a substantially smaller impact than the 0.01% number you mention a few times in this intent: 0.002% - 0.006% (it would be ideal if you could create a public version of that document :) ). Can you help me understand the distinctions between those measurements?
0.01% is just a conservative rounding of the 0.002%-0.006% numbers from the other doc. (Sorry about that... https://xkcd.com/2585/ seems somewhat applicable I guess...)Also, that number is presented as a percentage from HTTP requests. Do you have the data on how this presents itself as a percentage of page views?No, we don't have such a breakdown of the data.One reason is that ORB (and code gathering ORB's telemetry data) is hosted inside the NetworkService process which is mostly unaware of pages and page views (I think; I guess UKM would require knowing about pages, but I wasn't able to find UKM-related code under //services/network). We could try to count the various ORB outcomes per URLLoaderFactory (which roughly corresponds to a single HTML frame; I note that in the past about:blank frame might have shared a URLLoaderFactory with their opener/parent/initiator - that's probably ok), but getting this data would take time...
Also, how far is the PR draft from what y'all are planning to ship?
- 100% of the currently existing wpt/fetch/corb tests continue to pass with ORBv0.1.
- CORB and ORB differ (see also https://crbug.com/827633) in how they block things like JSON or HTML: CORB replaces the old response with an empty response body; ORB triggers a network error. Once that difference is gone:
Another way to judge the distance between ORBv0.1 and full ORB is to look at the differences listed in the docs that I've mentioned earlier in this thread:
- 95+% of the existing CORB and ORBv0.1 tests under wpt/fetch/corb should also apply to full ORB. The remaining 5% is mostly tests that deal with JSON parser breakers (https://github.com/annevk/orb/issues/30).
- ORB will require extra tests, in addition to the ones currently under wpt/fetch/corb. I would estimate that ORBv0.1 would pass at least 50% of the final set of WPT tests.
Notably, the "Gradual CORB -> ORB transition" doc talks about the main difference between full ORB and ORB v0.1 (JS sniffing -vs- HTML/JSON/XML sniffing) and also provides a fairly comprehensive list of other, minor differences is in the "Appendix: ORB v0.1 vs full ORB differences" section of the doc.
Thanks!-mike
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUH%3Df4KJK7F1rZ9PugP4O9kPQ%2BSzot0VjD6hyxZ%3Dqn_Bjw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAA_NCUGAOpNbCx-gZsttKo1cSGAoHugVJJBEjGrqA9AjQ1KtOw%40mail.gmail.com.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.
LGTM3 (modulo Yoav's request).
There is a clear compatibility risk here so it was good that it
was filed as an intent (regarding some comments a month ago), and
I wish we knew more about the requests that now will be blocked,
but I agree that the risk is just low enough to ship.
You may have to stay vigilant during the canary/beta phase to
pick up signals of something going wrong (which is true for most
features).
/Daniel
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/418ea310-7447-436c-8994-9a571d0ab27fn%40chromium.org.
I talked to Daniel Vogelheim about this and we agreed that the best way to document this intermediary, Chromium-only state is with in-tree documentation, which Daniel is working on.