
Cross-Origin Read Blocking - dedalus
https://www.chromium.org/Home/chromium-security/corb-for-developers
======
arkadiyt
If you're interested in cross origin information leaks and defenses against
them (including Cross Origin Read Blocking), I highly recommend this short 7
page summary by Artur Janc and Mike West from Google:

[https://www.arturjanc.com/cross-origin-
infoleaks.pdf](https://www.arturjanc.com/cross-origin-infoleaks.pdf)

------
AntonyGarand
Will we be able to report errors using the upcoming report-to header? I didn't
see a report mechanism listed, but like with hpkp and cors I would like those
errors to.be reporteable

------
colemickens
Does anyone have good additional links? I don't understand the risk of
delivering an HTML document to. script tag src?

~~~
h000per
This should also help put an end to cross domain search timing attacks. An old
example of one using the IMG tag:

[https://www.idontplaydarts.com/2015/09/cross-domain-
timing-a...](https://www.idontplaydarts.com/2015/09/cross-domain-timing-
attacks-against-lucene/)

~~~
tedunangst
But chrome doesn't see the content type until after the response is served.

~~~
untog
No, it sees the content type in the headers that are at the start of the
response. Presumably if that header isn't correct it'll stop downloading any
further data.

~~~
tedunangst
After Lucene has spent some variable amount of time depending on how many
documents match the query...

