issues
search
annevk
/
orb
Opaque Response Blocking (CORB++)
Creative Commons Zero v1.0 Universal
35
stars
4
forks
source link
issues
Newest
Newest
Most commented
Recently updated
Oldest
Least commented
Least recently updated
Could someone explain the actual tangible security implication of a browser without CORB and ORB?
#44
markg85
closed
4 months ago
10
Blocking JSON breaks web compat
#43
farre
opened
1 year ago
3
It's unclear how multipart/x-mixed-replace should be handled
#42
farre
opened
1 year ago
3
Avoid ORB checks for navigator.sendBeacon
#41
zcorpan
opened
1 year ago
2
ORB uses `audio-or-video-type-pattern-matching-algorithm` in an indeterministic way.
#40
farre
opened
1 year ago
1
It is unclear if blocking no-cors is web-compatible
#39
smaug----
opened
1 year ago
8
Clarify the behaviour of Javascript Validation when we are waiting for the full body
#38
sefeng211
opened
1 year ago
1
Authentication Request and 401 response code
#37
sefeng211
closed
2 years ago
1
Add a Status section
#36
annevk
closed
2 years ago
0
It is unclear when "To determine whether to allow response response to a request request, run these steps" runs.
#35
smaug----
closed
1 year ago
3
Do JavaScript parser implementations conform to ParseText(text, Script)
#34
annevk
closed
2 years ago
5
Consider an alternative strategy for media that does not rely on media elements directly
#33
anforowicz
opened
2 years ago
8
Should ORB block application/signed-exchange responses
#32
anforowicz
opened
2 years ago
1
Allow all multimedia-related MIME types
#31
anforowicz
opened
2 years ago
0
Should ORB block application/javascript with either JSON or JS-parser-breakers
#30
anforowicz
opened
2 years ago
6
HLS manifest is fetched across origins
#29
annevk
opened
2 years ago
12
Stricter filter for responses without MIME type
#28
annevk
opened
3 years ago
0
Blocklist based on sniffing
#27
annevk
opened
3 years ago
0
Block manifest-based media and WebVTT
#26
annevk
closed
3 years ago
0
Limit performance impact by restricting Javascript sniffing/parsing to "script" destinations
#25
anforowicz
closed
3 years ago
3
Impact on streaming responses
#24
anforowicz
closed
3 years ago
2
Add application/dash+xml to opaque-safelisted MIME types.
#23
anforowicz
closed
3 years ago
21
No size limit
#22
MattMenke2
opened
3 years ago
10
Ambiguity in spec around how much of body is parsed as JS/JSON
#21
MattMenke2
closed
3 years ago
2
Consider explicitly handling "application/dash+xml" MIME type
#20
anforowicz
closed
2 years ago
4
Incentives against using `text/javascript` almost everywhere
#19
anforowicz
opened
3 years ago
1
Restrict fetch(..., { mode: "no-cors" }) more
#18
annevk
opened
3 years ago
0
Add `application/x-protobuffer` to the list of opaque-blocklisted-never-sniffed MIME types"
#17
ddworken
closed
3 years ago
0
Improve logic for media elements
#16
annevk
closed
2 years ago
5
nosniff for CSS and JS is now part of the algorithm
#15
annevk
closed
3 years ago
0
Add MIME types that are never sniffed
#14
annevk
closed
3 years ago
0
Clarify that the parser operates on the entire response
#13
annevk
closed
3 years ago
1
Could be stricter on safelisted CSS and JS MIME types
#12
annevk
opened
3 years ago
0
Allow less potential CSS
#11
annevk
closed
3 years ago
2
Take into account the Chromium's never-sniff MIME types
#10
annevk
closed
3 years ago
1
Can be stricter when mimeType is failure and nosniff is true
#9
annevk
closed
3 years ago
0
Make it harder to reach the dreaded "parse as JavaScript" step
#8
annevk
closed
3 years ago
0
How to decode potential JavaScript
#7
annevk
opened
3 years ago
6
Incorperate more blocking before parsing as JavaScript
#6
annevk
closed
3 years ago
0
embed/object
#5
annevk
closed
2 years ago
7
Restrict opaque-safelisted requesters set more?
#4
annevk
closed
2 years ago
4
Graceful fallback for future image types
#3
anforowicz
opened
4 years ago
47
JSON vs Javascript lists
#2
anforowicz
closed
3 years ago
1
Take 2 of the algorithm
#1
annevk
closed
4 years ago
0