CORB: protecting certain nosniff and 206 responses

CORB is an additional filter for responses of cross-origin "no-cors" fetches. It aims to provide defense-in-depth protection for JSON, HTML, XML (though not image/svg+xml), and (sometimes) text/plain resources against cross-process CPU exploits. It also makes it harder to use incorrectly labeled resources as scripts, images, fonts, etc. Discussion and further work is tracked by #681 and #721. Tests are in web-platform-tests's fetch/corb directory.
whatwg · May 17, 2018 · 794dd54 · 794dd54
1 parent 3a896ef
commit 794dd54
Showing 1 changed file with 77 additions and 2 deletions.
diff --git a/fetch.bs b/fetch.bs
@@ -2379,6 +2379,64 @@ X-Content-Type-Options           = "nosniff" ; case-insensitive</pre>
 pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content.
 
 
+<h3 id=corb>CORB</h3>
+
+<p class="note">Cross-origin read blocking, better known as CORB, is an algorithm which identifies
+dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render
+JSON inside an <code>img</code> element) and blocks them before they reach a web page. CORB reduces
+the risk of leaking sensitive data by keeping it further from cross-origin web pages.
+
+<p>A <dfn>CORB-protected MIME type</dfn> is an <a>HTML MIME type</a>, a <a>JSON MIME type</a>, or an
+<a>XML MIME type</a> excluding <code>image/svg+xml</code>.
+
+<p class="note no-backref">Even without CORB, accessing the content of cross-origin resources with
+<a>CORB-protected MIME types</a> is either managed by the <a>CORS protocol</a> (e.g., in case of
+{{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the
+response), or would result in an error (e.g., when failing to decode an HTML document embedded in an
+<code>img</code> element as an image). This means that CORB can block
+<a>CORB-protected MIME types</a> resources without being disruptive to web pages.
+
+<p>To perform a <dfn noexport>CORB check</dfn>, given a <var>request</var> and <var>response</var>,
+run these steps:</p>
+
+<ol>
+ <li>
+  <p>If <var>request</var>'s <a for=request>initiator</a> is "<code>download</code>", then return
+  <b>allowed</b>.
+
+  <p class=XXX>If we recast downloading as navigation this step can be removed.
+
+ <li><p>If <var>request</var>'s <a for=request>current url</a>'s <a for=url>scheme</a> is not an
+ <a>HTTP(S) scheme</a>, then return <b>allowed</b>.
+
+ <li><p>Let <var>mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
+ from <var>response</var>'s <a for=response>header list</a>.
+
+ <li><p>If <var>response</var>'s <a for=response>status</a> is <code>206</code> and
+ <var>mimeType</var> (ignoring parameters) is a <a>CORB-protected MIME type</a>, then return
+ <b>blocked</b>.
+
+ <li><p>Let <var>nosniff</var> be the result of <a>extracting header values</a> from the
+ <em>first</em> <a for=/>header</a> whose <a for=header>name</a> is a <a>byte-case-insensitive</a>
+ match for `<a http-header><code>X-Content-Type-Options</code></a>` in <var>response</var>'s
+ <a for=response>header list</a>.
+
+ <li>
+  <p>If <var>nosniff</var> is not failure and <var>mimeType</var> (ignoring parameters) is a
+  <a>CORB-protected MIME type</a> or <code>text/plain</code>, then return <b>blocked</b>.
+
+  <p class="note no-backref">CORB only protects <code>text/plain</code> responses with a
+  `<code>X-Content-Type-Options: nosniff</code>` header. Unfortunately, protecting such responses
+  without that header when their <a for=response>status</a> is <code>206</code> would break too many
+  existing video responses that have a <code>text/plain</code> MIME type.
+
+ <!-- TODO: MIME type confirmation sniffing -->
+ <!-- TODO: JSON security prefix sniffing -->
+
+ <li><p>Return <b>allowed</b>.
+</ol>
+
+
 
 <h2 id=fetching>Fetching</h2>
 
@@ -2713,9 +2771,25 @@ with a <i>CORS flag</i> and <i>recursive flag</i>, run these steps:
      <a for=request>response tainting</a> to
      "<code>opaque</code>".
 
-     <li><p>Return the result of performing a <a>scheme fetch</a>
+     <li><p>Let <var>noCorsResponse</var> be the result of performing a <a>scheme fetch</a> using
-     using <var>request</var>.
+     <var>request</var>.
      <!-- file URLs end up here as they are not same-origin typically. -->
+
+     <li><p>If <var>noCorsResponse</var> is a <a>filtered response</a> or the <a>CORB check</a> with
+     <var>request</var> and <var>noCorsResponse</var> returns <b>allowed</b>, then return
+     <var>noCorsResponse</var>.
+
+     <li>
+      <p>Set <var>corbSanitizedResponse</var> to a new <a for=/>response</a> whose
+      <a for=response>status</a> is <var>noCorsResponse</var>'s <a for=response>status</a>,
+      <a for=response>HTTPS state</a> is <var>noCorsResponse</var>'s
+      <a for=response>HTTPS state</a>, and <a for=response>CSP list</a> is
+      <var>noCorsResponse</var>'s <a for=response>CSP list</a>.
+
+      <p class="warning">This is only an effective defense against side channel attacks if
+      <var>noCorsResponse</var> is kept isolated from the process that initiated the request.
+
+     <li><p>Return <var>corbSanitizedResponse</var>.
     </ol>
 
    <dt><var>request</var>'s <a for=request>current url</a>'s
@@ -6311,6 +6385,7 @@ Larry Masinter,
 Liam Brummitt,
 Louis Ryan,
 Lucas Gonze,
+Łukasz Anforowicz,
 呂康豪 (Kang-Hao Lu),
 Maciej Stachowiak,
 Malisa<!-- malisas; GitHub -->,