@@ -3552,61 +3552,6 @@ X-Content-Type-Options = "nosniff" ; case-insensitive
35523552pertain to them. Also, considering "<code> image</code> " was not compatible with deployed content.
35533553
35543554
3555- <h3 id=corb>CORB</h3>
3556-
3557- <p class="note"> Cross-origin read blocking, better known as CORB, is an algorithm which identifies
3558- dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render
3559- JSON inside an <code> img</code> element) and blocks them before they reach a web page. CORB reduces
3560- the risk of leaking sensitive data by keeping it further from cross-origin web pages.
3561-
3562- <p> A <dfn>CORB-protected MIME type</dfn> is an <a>HTML MIME type</a> , a <a>JSON MIME type</a> , or an
3563- <a>XML MIME type</a> excluding <code> image/svg+xml</code> .
3564-
3565- <p class="note no-backref"> Even without CORB, accessing the content of cross-origin resources with
3566- <a>CORB-protected MIME types</a> is either managed by the <a>CORS protocol</a> (e.g., in case of
3567- {{XMLHttpRequest}} ), not observable (e.g., in case of pings or CSP reports which ignore the
3568- response), or would result in an error (e.g., when failing to decode an HTML document embedded in an
3569- <code> img</code> element as an image). This means that CORB can block
3570- <a>CORB-protected MIME types</a> resources without being disruptive to web pages.
3571-
3572- <p> To perform a <dfn noexport>CORB check</dfn> , given a <var> request</var> and <var> response</var> ,
3573- run these steps:</p>
3574-
3575- <ol>
3576- <li>
3577- <p> If <var> request</var> 's <a for=request>initiator</a> is "<code> download</code> ", then return
3578- <b> allowed</b> .
3579-
3580- <p class=XXX> If we recast downloading as navigation this step can be removed.
3581-
3582- <li><p> If <var> request</var> 's <a for=request>current URL</a>' s <a for=url>scheme</a> is not an
3583- <a>HTTP(S) scheme</a> , then return <b> allowed</b> .
3584-
3585- <li><p> Let <var> mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
3586- from <var> response</var> 's <a for=response>header list</a> .
3587-
3588- <li><p> If <var> mimeType</var> is failure, then return <b> allowed</b> .
3589-
3590- <li><p> If <var> response</var> 's <a for=response>status</a> is 206 and <var> mimeType</var> is a
3591- <a>CORB-protected MIME type</a> , then return <b> blocked</b> .
3592-
3593- <li>
3594- <p> If <a>determine nosniff</a> with <var> response</var> 's <a for=response>header list</a> is true
3595- and <var> mimeType</var> is a <a>CORB-protected MIME type</a> or its <a for="MIME type">essence</a>
3596- is "<code> text/plain</code> ", then return <b> blocked</b> .
3597-
3598- <p class="note no-backref"> CORB only protects <code> text/plain</code> responses with a
3599- `<code> X-Content-Type-Options: nosniff</code> ` header. Unfortunately, protecting such responses
3600- without that header when their <a for=response>status</a> is 206 would break too many existing
3601- video responses that have a <code> text/plain</code> <a for=/>MIME type</a> .
3602-
3603- <!-- TODO: MIME type confirmation sniffing -->
3604- <!-- TODO: JSON security prefix sniffing -->
3605-
3606- <li><p> Return <b> allowed</b> .
3607- </ol>
3608-
3609-
36103555<h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>
36113556
36123557<p> The
@@ -4125,35 +4070,19 @@ steps:
41254070 <a>HTTP(S) scheme</a> .
41264071 [[!HTML]] [[!SW]]
41274072
4128- <dt><var> request</var> 's <a for=request>mode</a> is
4129- "<code> same-origin</code> "
4073+ <dt><var> request</var> 's <a for=request>mode</a> is "<code> same-origin</code> "
41304074 <dd><p> Return a <a>network error</a> .
41314075
4132- <dt><var> request</var> 's <a for=request>mode</a> is
4133- "<code> no-cors</code> "
4076+ <dt><var> request</var> 's <a for=request>mode</a> is "<code> no-cors</code> "
41344077 <dd>
41354078 <ol>
41364079 <li><p> If <var> request</var> 's <a for=request>redirect mode</a> is not "<code> follow</code> ",
41374080 then return a <a>network error</a> .
41384081
4139- <li><p> Set <var> request</var> 's
4140- <a for=request>response tainting</a> to
4141- "<code> opaque</code> ".
4082+ <li><p> Set <var> request</var> 's <a for=request>response tainting</a> to "<code> opaque</code> ".
41424083
4143- <li><p> Let <var> noCorsResponse</var> be the result of running <a>scheme fetch</a> given
4144- <var> fetchParams</var> .
4084+ <li><p> Return the result of running <a>scheme fetch</a> given <var> fetchParams</var> .
41454085 <!-- file URLs end up here as they are not same-origin typically. -->
4146-
4147- <li><p> If <var> noCorsResponse</var> is a <a>filtered response</a> or the <a>CORB check</a> with
4148- <var> request</var> and <var> noCorsResponse</var> returns <b> allowed</b> , then return
4149- <var> noCorsResponse</var> .
4150-
4151- <li>
4152- <p> Return a new <a for=/>response</a> whose <a for=response>status</a> is
4153- <var> noCorsResponse</var> 's <a for=response>status</a> .
4154-
4155- <p class="warning"> This is only an effective defense against side channel attacks if
4156- <var> noCorsResponse</var> is kept isolated from the process that initiated the request.
41574086 </ol>
41584087
41594088 <dt><var> request</var> 's <a for=request>current URL</a>' s <a for=url>scheme</a> is not an
0 commit comments