@@ -3547,61 +3547,6 @@ X-Content-Type-Options = "nosniff" ; case-insensitive
35473547pertain to them. Also, considering "<code> image</code> " was not compatible with deployed content.
35483548
35493549
3550- <h3 id=corb>CORB</h3>
3551-
3552- <p class="note"> Cross-origin read blocking, better known as CORB, is an algorithm which identifies
3553- dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render
3554- JSON inside an <code> img</code> element) and blocks them before they reach a web page. CORB reduces
3555- the risk of leaking sensitive data by keeping it further from cross-origin web pages.
3556-
3557- <p> A <dfn>CORB-protected MIME type</dfn> is an <a>HTML MIME type</a> , a <a>JSON MIME type</a> , or an
3558- <a>XML MIME type</a> excluding <code> image/svg+xml</code> .
3559-
3560- <p class="note no-backref"> Even without CORB, accessing the content of cross-origin resources with
3561- <a>CORB-protected MIME types</a> is either managed by the <a>CORS protocol</a> (e.g., in case of
3562- {{XMLHttpRequest}} ), not observable (e.g., in case of pings or CSP reports which ignore the
3563- response), or would result in an error (e.g., when failing to decode an HTML document embedded in an
3564- <code> img</code> element as an image). This means that CORB can block
3565- <a>CORB-protected MIME types</a> resources without being disruptive to web pages.
3566-
3567- <p> To perform a <dfn noexport>CORB check</dfn> , given a <var> request</var> and <var> response</var> ,
3568- run these steps:</p>
3569-
3570- <ol>
3571- <li>
3572- <p> If <var> request</var> 's <a for=request>initiator</a> is "<code> download</code> ", then return
3573- <b> allowed</b> .
3574-
3575- <p class=XXX> If we recast downloading as navigation this step can be removed.
3576-
3577- <li><p> If <var> request</var> 's <a for=request>current URL</a>' s <a for=url>scheme</a> is not an
3578- <a>HTTP(S) scheme</a> , then return <b> allowed</b> .
3579-
3580- <li><p> Let <var> mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
3581- from <var> response</var> 's <a for=response>header list</a> .
3582-
3583- <li><p> If <var> mimeType</var> is failure, then return <b> allowed</b> .
3584-
3585- <li><p> If <var> response</var> 's <a for=response>status</a> is 206 and <var> mimeType</var> is a
3586- <a>CORB-protected MIME type</a> , then return <b> blocked</b> .
3587-
3588- <li>
3589- <p> If <a>determine nosniff</a> with <var> response</var> 's <a for=response>header list</a> is true
3590- and <var> mimeType</var> is a <a>CORB-protected MIME type</a> or its <a for="MIME type">essence</a>
3591- is "<code> text/plain</code> ", then return <b> blocked</b> .
3592-
3593- <p class="note no-backref"> CORB only protects <code> text/plain</code> responses with a
3594- `<code> X-Content-Type-Options: nosniff</code> ` header. Unfortunately, protecting such responses
3595- without that header when their <a for=response>status</a> is 206 would break too many existing
3596- video responses that have a <code> text/plain</code> <a for=/>MIME type</a> .
3597-
3598- <!-- TODO: MIME type confirmation sniffing -->
3599- <!-- TODO: JSON security prefix sniffing -->
3600-
3601- <li><p> Return <b> allowed</b> .
3602- </ol>
3603-
3604-
36053550<h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>
36063551
36073552<p> The
@@ -4119,35 +4064,19 @@ steps:
41194064 <a>HTTP(S) scheme</a> .
41204065 [[!HTML]] [[!SW]]
41214066
4122- <dt><var> request</var> 's <a for=request>mode</a> is
4123- "<code> same-origin</code> "
4067+ <dt><var> request</var> 's <a for=request>mode</a> is "<code> same-origin</code> "
41244068 <dd><p> Return a <a>network error</a> .
41254069
4126- <dt><var> request</var> 's <a for=request>mode</a> is
4127- "<code> no-cors</code> "
4070+ <dt><var> request</var> 's <a for=request>mode</a> is "<code> no-cors</code> "
41284071 <dd>
41294072 <ol>
41304073 <li><p> If <var> request</var> 's <a for=request>redirect mode</a> is not "<code> follow</code> ",
41314074 then return a <a>network error</a> .
41324075
4133- <li><p> Set <var> request</var> 's
4134- <a for=request>response tainting</a> to
4135- "<code> opaque</code> ".
4076+ <li><p> Set <var> request</var> 's <a for=request>response tainting</a> to "<code> opaque</code> ".
41364077
4137- <li><p> Let <var> noCorsResponse</var> be the result of running <a>scheme fetch</a> given
4138- <var> fetchParams</var> .
4078+ <li><p> Return the result of running <a>scheme fetch</a> given <var> fetchParams</var> .
41394079 <!-- file URLs end up here as they are not same-origin typically. -->
4140-
4141- <li><p> If <var> noCorsResponse</var> is a <a>filtered response</a> or the <a>CORB check</a> with
4142- <var> request</var> and <var> noCorsResponse</var> returns <b> allowed</b> , then return
4143- <var> noCorsResponse</var> .
4144-
4145- <li>
4146- <p> Return a new <a for=/>response</a> whose <a for=response>status</a> is
4147- <var> noCorsResponse</var> 's <a for=response>status</a> .
4148-
4149- <p class="warning"> This is only an effective defense against side channel attacks if
4150- <var> noCorsResponse</var> is kept isolated from the process that initiated the request.
41514080 </ol>
41524081
41534082 <dt><var> request</var> 's <a for=request>current URL</a>' s <a for=url>scheme</a> is not an
0 commit comments