Re: [whatwg/fetch] CORB: blocking of nosniff and 206 responses (#686) from Lukasz Anforowicz on 2018-05-07 (public-webapps-github@w3.org from May 2018)

From: Lukasz Anforowicz <notifications@github.com>
Date: Mon, 07 May 2018 17:29:56 +0000 (UTC)
To: whatwg/fetch <fetch@noreply.github.com>
Cc: Subscribed <subscribed@noreply.github.com>
Message-ID: <whatwg/fetch/pull/686/review/118079080@github.com>

anforowicz commented on this pull request.



> @@ -2354,6 +2354,55 @@ X-Content-Type-Options           = "nosniff" ; case-insensitive</pre>
 pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content.
 
 
+<h3 id=corb>CORB</h3>
+
+<p class="note">Cross-origin read blocking, better known as CORB, is an algorithm by which dubious
+cross-origin resource fetches are identified and blocked  before they reach a web page. CORB reduces
+the risk of leaking sensitive data by keeping it further from cross-origin web pages.
+
+<p>A <dfn>CORB-protected MIME type</dfn> is an <a>HTML MIME type</a>, a <a>JSON MIME type</a>, or an
+<a>XML MIME type</a> excluding <code>image/svg+xml</code>.
+
+<p class="note no-backref">Accessing cross-origin resources with <a>CORB-protected MIME types</a> is
+managed by the <a>CORS protocol</a> (e.g., in case of <a><code>fetch()</code></a> or
+{{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the
+response), or would result in an error (e.g., when failing to decode an HTML document embedded in an
+<code>img</code> tag as an image). This means that CORB can block <a>CORB-protected MIME types</a>
+resources without being disruptive to web pages.

> It wasn't clear to me that this note was talking about what happens aside from CORB.
>
> Maybe start "Even without CORB…"?

Done

> > Accessing cross-origin resources

> Maybe "Accessing the content of cross-origin resources"? Since we allow cross origin resources for imgs, script CSS.

Done.

> fetch() can fetch no-cors so it might not be a good example here.

Good point - I've removed the fetch() example and only left XHR (which AFAIK doesn't have an equivalent of no-cors mode).

> It isn't clear that this is presenting a list of things, so maybe: "…is managed either by the CORS protocol…".

Done.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/whatwg/fetch/pull/686#discussion_r186490809

Received on Monday, 7 May 2018 17:30:26 UTC