Intent to prototype: Enable Partially Implemented Opaque Response Blocking (ORB) in Nightly
6,648 views
Skip to first unread message
Sean Feng
Oct 26, 2022, 3:10:13 PM10/26/22
to dev-pl...@mozilla.org
Summary: Opaque Response Blocking (ORB) is a heuristic which intends to block no-cors cross-origin requests to prevent those requests from being read by Spectre attack while remaining web compatible.
This is partially implemented because it lacks the Javascript validation stuff such that we want to block JSON responses while allowing Javascript to pass through, however we haven't finished the implementation for this part yet.
Any blocked request will be logged in to the browser console. eg:
The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof)
So please file a bug if you experience site breakage and see some requests are blocked by ORB.
Bug:
- Initial implementation setups the framework: https://bugzilla.mozilla.org/show_bug.cgi?id=1696111
- The bug which enables the above implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1785331
Specification: https://github.com/annevk/orb
Standards Body: There's a PR open which has the actual changes to the Fetch spec: https://github.com/whatwg/fetch/pull/1442
Platform coverage: All
Preference: This feature can be turned off by setting browser.opaqueResponseBlocking to false
Other browsers: Chrome has ORBv0.1 shipped in 105.
web-platform-tests: No WPTs yet. We have added the initial batch of tests in https://bugzilla.mozilla.org/show_bug.cgi?id=1785331. We have also been relying on all other existing tests for remaining web compatibility.
I'll bump this email again once the patches land.
Thanks,
Sean Feng
This is partially implemented because it lacks the Javascript validation stuff such that we want to block JSON responses while allowing Javascript to pass through, however we haven't finished the implementation for this part yet.
Any blocked request will be logged in to the browser console. eg:
The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof)
So please file a bug if you experience site breakage and see some requests are blocked by ORB.
Bug:
- Initial implementation setups the framework: https://bugzilla.mozilla.org/show_bug.cgi?id=1696111
- The bug which enables the above implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1785331
Specification: https://github.com/annevk/orb
Standards Body: There's a PR open which has the actual changes to the Fetch spec: https://github.com/whatwg/fetch/pull/1442
Platform coverage: All
Preference: This feature can be turned off by setting browser.opaqueResponseBlocking to false
Other browsers: Chrome has ORBv0.1 shipped in 105.
web-platform-tests: No WPTs yet. We have added the initial batch of tests in https://bugzilla.mozilla.org/show_bug.cgi?id=1785331. We have also been relying on all other existing tests for remaining web compatibility.
I'll bump this email again once the patches land.
Thanks,
Sean Feng
Sean Feng
Oct 28, 2022, 10:30:43 AM10/28/22
to dev-pl...@mozilla.org
The patches just made it to the mozilla-central. Again, any blocked request will be logged in to the browser console as
The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof), and the feature can be toggled by browser.opaqueResponseBlocking. So Please file bugs and needinfo 'sefeng' if anything breaks.
The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof), and the feature can be toggled by browser.opaqueResponseBlocking. So Please file bugs and needinfo 'sefeng' if anything breaks.
Thanks,
Sean Feng
Sean Feng
Nov 16, 2022, 9:53:12 AM11/16/22
to dev-pl...@mozilla.org
The feature is enabled again in Nightly! Please file bugs if anything breaks.
(It was disabled due to some regressions about loading images)
Thanks all,
Sean
Reply all
Reply to author
Forward
0 new messages