Summary: Opaque Response Blocking (ORB) is a heuristic which intends to block no-cors
cross-origin requests to prevent those requests from being read by Spectre attack while remaining web compatible.
Any blocked request will be logged in to the browser console. eg:The resource at <resource url> was blocked due to its Cross-Origin-Resource-Sharing header (or lack thereof)
So please file a bug if you experience site breakage and see some requests are blocked by ORB.
- Initial implementation setups the framework: https://bugzilla.mozilla.org/show_bug.cgi?id=1696111
- The bug which enables the above implementation: https://bugzilla.mozilla.org/show_bug.cgi?id=1785331
Standards Body: There's a PR open which has the actual changes to the Fetch spec: https://github.com/whatwg/fetch/pull/1442
Platform coverage: All
Preference: This feature can be turned off by setting browser.opaqueResponseBlocking
Other browsers: Chrome has ORBv0.1
shipped in 105.
web-platform-tests: No WPTs yet. We have added the initial batch of tests in https://bugzilla.mozilla.org/show_bug.cgi?id=1785331
. We have also been relying on all other existing tests for remaining web compatibility.
I'll bump this email again once the patches land.