Intent to prototype: Enable Partially Implemented Opaque Response Blocking (ORB) in Nightly

4,389 views
Skip to first unread message

Sean Feng

unread,
Oct 26, 2022, 3:10:13 PM10/26/22
to dev-pl...@mozilla.org
Summary: Opaque Response Blocking (ORB) is a heuristic which intends to block no-cors cross-origin requests to prevent those requests from being read by Spectre attack while remaining web compatible.

This is partially implemented because it lacks the Javascript validation stuff such that we want to block JSON responses while allowing Javascript to pass through, however we haven't finished the implementation for this part yet.

Any blocked request will be logged in to the browser console. eg:
The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof)
So please file a bug if you experience site breakage and see some requests are blocked by ORB.

Bug:
  - Initial implementation setups the framework: https://bugzilla.mozilla.org/show_bug.cgi?id=1696111
  - The bug which enables the above implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1785331

Specification: https://github.com/annevk/orb

Standards Body: There's a PR open which has the actual changes to the Fetch spec: https://github.com/whatwg/fetch/pull/1442

Platform coverage: All

Preference: This feature can be turned off by setting browser.opaqueResponseBlocking to false

Other browsers: Chrome has ORBv0.1 shipped in 105.

web-platform-tests: No WPTs yet. We have added the initial batch of tests in https://bugzilla.mozilla.org/show_bug.cgi?id=1785331. We have also been relying on all other existing tests for remaining web compatibility.

I'll bump this email again once the patches land.

Thanks,
Sean Feng

Sean Feng

unread,
Oct 28, 2022, 10:30:43 AM10/28/22
to dev-pl...@mozilla.org
The patches just made it to the mozilla-central. Again, any blocked request will be logged in to the browser console as
The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof), and the feature can be toggled by browser.opaqueResponseBlocking. So Please file bugs and needinfo 'sefeng' if anything breaks.

Thanks,
Sean Feng

Sean Feng

unread,
Nov 16, 2022, 9:53:12 AM11/16/22
to dev-pl...@mozilla.org
The feature is enabled again in Nightly! Please file bugs if anything breaks.

(It was disabled due to some regressions about loading images)

Thanks all,
Sean
Reply all
Reply to author
Forward
0 new messages