doc: remove CORB section

[samuel871211]

Description

Motivation

Additional details

Related issues and pull requests

[github-actions]

Preview URLs

• /en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
• /en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options

Flaws (3)

Note! 1 document with no flaws that don't need to be listed. 🎉

URL: /en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
Title: X-Content-Type-Options header
Flaw count: 3

• unknown:
  • No generic content config found
  • no blog root
  • no blog root

External URLs (5)

URL: /en-US/docs/Web/HTTP/Guides/Cross-Origin_Resource_Policy
Title: Cross-Origin Resource Policy (CORP)

• https://github.com/whatwg/fetch/issues/687 (1 time) (Note! This may be a new URL 👀)

---

URL: /en-US/docs/Web/HTTP/Reference/Headers/X-Content-Type-Options
Title: X-Content-Type-Options header

• https://blog.mozilla.org/security/2016/08/26/mitigating-mime-confusion-attacks-in-firefox/ (1 time)
• https://fetch.spec.whatwg.org/ (1 time)
• https://html.spec.whatwg.org/multipage/scripting.html (1 time)
• https://learn.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-vi-beta-2-update (1 time)

(comment last updated: 2025-07-09 07:17:36)

[Josh-Cena]

CORB is a retired concept that is now non-standard: whatwg/fetch#1441 I'm not sure if we need to mention it

[wbamberg]

There's a bit of chat about CORB here: #3526, I'm +1 on removing it.

[bsmth]

I had a small suggestion not to link the second occurrence, but I agree it's better to remove the references instead.

[samuel871211]

@Josh-Cena @wbamberg @bsmth I've removed the section about CORB, you can edit this PR directly.

FYI, Chrome is planning to remove to whole md file of this page: https://www.chromium.org/Home/chromium-security/corb-for-developers/

The discussion can be found here, but it's still ongoing https://issues.chromium.org/issues/428412051

I'm +1 on removing the reference of CORB

[bsmth]

I'd suggest changing the History section to be something like:

The concept was originally proposed in 2012 (as a `From-Origin` header), but [resurrected](https://github.com/whatwg/fetch/issues/687) in Q2 of 2018 and implemented in Safari and Chromium.
In early 2018, two side-channel hardware vulnerabilities known as _Meltdown_ and _Spectre_ were disclosed.
These vulnerabilities allowed sensitive data disclosure due to a race condition which arose as part of speculative execution functionality, designed to improve performance.
Cross-Origin Resource Policy was developed as a direct way for sites to block unwanted `no-cors` cross-origin requests.
This is an effective defense against Spectre-like attacks, as the browser strips the body from given responses before an attacker can access them.

References:

• https://resourcepolicy.fyi/
• https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP
• https://chromestatus.com/feature/5629709824032768
• https://redirect.github.com/whatwg/fetch/issues/687

[samuel871211]

Update at b54c980

[bsmth]

Thanks a lot. I think this is good now. Does anyone else want a quick look? @wbamberg?

[bsmth]

OK I'm going to merge this as-is now! Thanks a lot, @samuel871211