DEV Community

Mariam Reba Alexander
Mariam Reba Alexander

Posted on • Edited on

What is CORB?

Have you seen this type of console warning in your browser console ? Cross-Origin Read Blocking (CORB) blocked cross-origin response https://example.com/sub with MIME type application/json. You may be familiar with CORS, but what is CORB ?

First of all, what is CORS ?

Browsers have the security mechanism called same-origin policy which restricts the interaction of a document or script from an origin to a resource from another origin. For example JavaScript in domain-a.com with <script src="https://domain-b.com/example.js"></script> will fail to load in a browser.

CORS(Cross-Origin Resource Sharing) adds HTTP headers that let servers describe which origins are permitted to read an information from a browser. If the above javascript has to load from domain-a.com the server has to return with the following header in the response:

Access-Control-Allow-Origin: https://domain-b.com/example.js
Enter fullscreen mode Exit fullscreen mode

If the server responds with Access-Control-Allow-Origin: *, it means that the resources of domain-a.com can be accessed by any origin. Using wildcard relaxes the security offered by CORS allowing XSS attacks and is therefore not recommended.

It's also important to add the Vary: Origin header to eliminate caching. Without this header, it can lead to cache poisoning/DNS spoofing attacks, which attackers can use to redirect traffic to malicious hosts.

Read further MDN Web Docs: Cross-Origin Resource Sharing (CORS)
HackTricks: CORS - Misconfigurations & Bypass

What is CORB ?

There are two types of data that can be requested from a server:

  • data resources such as HTML, XML, or JSON documents and

  • media resources such as images, JavaScript, CSS, or fonts.

With CORS headers Access-Control-Allow-Origin: * a website can access cross-origin data resources, whereas media resources can be included from any origin, even without permissive CORS headers.

Cross-Origin Read Blocking (CORB) prevents the browser from receiving a cross-origin data resource if it has an X-Content-Type-Options: nosniff or if CORS doesn’t explicitly allow access to the resource.

(X-Content-Type-Options is an HTTP response header used by the server which specifies the MIME types (such as text, font and models) that the Content-Type headers should strictly follow. It allows you to avoid MIME type sniffing.)

Without X-Content-Type-Options: nosniff the browser tries to sniff the the response body to determine its MIME type (MIME sniffing) and allows access to avoid blocking things like JavaScript files, which an attacker can use it to carry out an MIME sniffing XSS attack.

A malicious web page could use an <script> element to load a JSON file with sensitive data, like your bank balance and commit the sensitive data to memory:

<script src="https://your-bank.example/balance.json" />
Enter fullscreen mode Exit fullscreen mode

CORB along with Site isolation protection prevents the above contents of balance.json from ever entering the memory of the renderer process memory based on its MIME type defending against attacks such as Cross-Site Script Inclusion (XSSI) and Speculative Side Channel Attack (e.g. Spectre).

For optimal security and to benefit from CORB, the responses should be marked with the correct Content-Type header.

Read further CORB explainer
CORB for developers

Top comments (0)