Summary: Opaque Response Blocking (ORB) is a heuristic which intends to block
no-cors cross-origin requests to prevent those requests from being read by Spectre attack while remaining web compatible.
This is partially implemented because it lacks the Javascript validation stuff such that we want to block JSON responses while allowing Javascript to pass through, however we haven't finished the implementation for this part yet.
Any blocked request will be logged in to the browser console. eg:
The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof)So please file a bug if you experience site breakage and see some requests are blocked by ORB.
Bug:
- Initial implementation setups the framework:
https://bugzilla.mozilla.org/show_bug.cgi?id=1696111 - The bug which enables the above implementation:
https://bugzilla.mozilla.org/show_bug.cgi?id=1785331Specification:
https://github.com/annevk/orbStandards Body: There's a PR open which has the actual changes to the Fetch spec:
https://github.com/whatwg/fetch/pull/1442Platform coverage: All
Preference: This feature can be turned off by setting
browser.opaqueResponseBlocking to
falseOther browsers: Chrome has
ORBv0.1 shipped in 105.
web-platform-tests: No WPTs yet. We have added the initial batch of tests in
https://bugzilla.mozilla.org/show_bug.cgi?id=1785331. We have also been relying on all other existing tests for remaining web compatibility.
I'll bump this email again once the patches land.
Thanks,
Sean Feng