JAKE: I was in a
meeting yesterday. Paul Lewis was there. He did an amazing
mixed metaphor. Something like,
you know, we don't want to rock the boat
til it's in the bag. And it's like, don't
put boats in bags. Like, I can't-- [MUSIC PLAYING] SURM: So. JAKE: So the topic I am putting
on the conveyor belt is CORB. SURM: CORB. JAKE: CORB. [LAUGHTER] This is-- SURM: The Swedish chef, CORB. JAKE: CORB, CORB, CORB. This is Cross-Origin
Read Blocking. And I always want to say
resource, but it's read. I've got it written there. SURM: Did it used to
be Resource Blocking, it renamed to Read Blocking? JAKE: I don't know. CORS is-- BOTH: Cross-Origin Resource-- JAKE: Sharing. [LAUGHTER] SURM: What is the S in CORS? JAKE: Let's say sharing. Security? No. It's not Security. It's Sharing. Let's say Sharing. It's Sharing. Now, this is a new
behavior in the Fetch Spec that was sort of added
by some Chrome folks. And it's kind of to do
with Meltdown and Spectre. SURM: Oh, is that where
we had the cool headline that because of
mother inspector, Chrome uses more ram now? JAKE: Oh, yeah. Well it's not to do
with this exactly. But yes, that has been
a problem with it. But the more memory thing,
that's more to site isolation. SURM: Oh, I thought it was
part of site isolation. Interesting. See? I learned something. JAKE: It's sort
of to do with it. SURM: In case that
you don't know, I wrote an article
on site isolation. I will link to it
in the description. JAKE: Oh, did you? SURM: I think so. [LAUGHTER] I think I had three weeks
of security reviews on it. Because it was-- JAKE: Oh, that's right. Yes. Back in the-- yes,
of course you did. SURM: Back in the day,
when it was announced. JAKE: When it was-- yes. So we'll add that in. Yes. And isolation is-- Chrome has been putting
tabs in different processes since version 1. We were the first
to do that, I think. But we didn't do
it with IFrames. And we didn't do it-- in some cases, we didn't
do it with new Windows. Like, sometimes if
you were clicking-- If it was window.open, I
don't think we put that in a-- well, that has the opener thing. So there were some cases where
we weren't putting these things in different processes. Meltdown Spectre came along,
and went we've got this problem. SURM: This is an
entry point for us. JAKE: Yes. Where memory that's in
the same process can-- SURM: Freefall! You can just read it
if you do it right. JAKE: Yes Through a lot of
trickery, and a lot of effort. SURM: I should probably be
more careful about what to say about mother inspector, right? JAKE: Oh, yeah. We need to get this reviewed. SURM: Spreading more
fear, uncertainty, and doubt about this is
probably not the best idea. JAKE: It's a very tricky
hack, but it's something that we need to be careful of. So we thought,
well, oh, this thing where we are putting things
in different tabs, different processes-- really good idea. But we just need to
finish that work. And so we did that. And that was like OOPIFs, which
was Out-Of-Process-IFrames. SURM: Oh, the OOPIFs! JAKE: OOPIFs. And so that was all
part of isolation. Same with Windows. And we've done that work,
and we've shipped it. More processes
means more memory. Ta da! But it means more security,
and that's more important. So that solves the problem
of another origin's IFrame sharing a process with you and
being able to potentially maybe getting at that data
through Meltdown-Spectre. But we have a lot
of APIs on the web that let you read data
from another origin. With the other origin's cookies. And have it do
things on your page. SURM: Script tag includes. JAKE: Script tag. SURM: Images. JAKE: Images. Video-audio. SURM: Style sheets? JAKE: Style sheets. SURM: Style sheets. JAKE: Correct. Yeah. Lots of stuff. Those are the main ones. SURM: And this is
bypassing CORS, right? This is just like, do a request. But you can't read
it, in terms of like, Java could read it byte by byte. But it's just going to get
incorporated into the page, one way or the other. JAKE: Exactly. And so the danger is, if
you have this image tag, we'll say, pointing
at Facebook.com. It's going to load that
data in, and it's going to have an image decode error. But that data does
go into the process. SURM: It's in the memory. JAKE: It's in the memory. SURM: Because it had to be
there to get [INAUDIBLE].. And then the browser can
determine, this is actually an image, mate. JAKE: Yes. And it's the same for-- I mean, the Fetch API lets
you do no-cause fetches. So that's number one. And them same with script
tags and everything. Even if it fails to load
because it's the wrong type, it has still gone
into that process. So that is what
CORB is all about. The way it works is, if it's a
no-cause fetch kind of origin, the data comes back. And what it does is it tries
to determine ahead of time, before it sends the data back
to the API, like the image tag or whatever-- it 's
like, hang on a minute. Does this seem like
something that you're not going to be able to use anyway? Does it seem like something
that could potentially hold private data? SURM: OK. JAKE: And it looks at MIME types
right now for things like-- SURM: MIME types deducted
from the file extension? JAKE: Determined from
the content type header. SURM: Oh. So basically, it
sends out the fetch. And gets a response
out of process. Data analysis. And then decides whether the
data goes into the task process or not. JAKE: Exactly. And if it's text to HTML, or if
it is JSON, or if it is XML-- except for SVG-- that's
when it kind of goes, this looks dangerous. This looks dodgy. I'm just going to fail. And that fetch will never
go back into process. Right now, we're relying-- SURM: Even when I want
to include an HTML file? JAKE: You can't include
an HTML file as an image. You can't include it as scripts. These are all formats that
are definitely going to fail. SURM: True. OK. I'm with you. JAKE: Right now,
you need the header for strict MIME type checking. But we're going a step
further, and we're experimenting with
actually, rather than relying on MIME
types, to sniff the data. So even if it's
served as script, but it's quite clearly
HTML, or quite clearly it's not an image,
it's something else-- we can look at it and
make a judgment call. We don't actually want this
data to end up in the process. We're pretty confident
this API is not going to be able to do
anything with it anyway. And that's how it works. There's some weird edge cases. Like, text plain is
another one of the formats that we think could
have user data in. Less likely, but possible. SURM: But lots of script
tags load their scripts with text plain. JAKE: Not anymore, they don't. [LAUGHTER] Because we're blocking that. No, it turns out that's
not happening a lot. SURM: Interesting. I thought that-- OK. Sure. Cool. JAKE: Not across Origin, anyway. But one API that does
receive a lot of text plain-- can you guess which one
receives a lot of text plain? SURM: Style sheets? JAKE: It is video. Yeah. There is a load of
video data out there that is served as text
plain for no good reason. SURM: That is very confusing. JAKE: So there's had to
be an exception for that. Like, if the response
is a range response 206, then if it's
text plain, fine. Whatever. SURM: Oh, look. It's cross-origin video. That sounds familiar. JAKE: Right. Yes. You thought about
that before as well. So, yeah. That's CORB. People shouldn't
see any difference. SURM: I was going to
say, it's basically a no-op for most people. Unless you want to opt in
with the MIME type checking to make it better? JAKE: Yes. And that will protect
your data more against-- SURM: Or your users' data. JAKE: Absolutely. Your users' data. And you might see
failures in cases where you maybe are relying on
this text plain thing to be-- SURM: I mean, in
the end, you want to make sure your content
type pairs are correct anyway. JAKE: Yes. And we've a judgement
call that it's so SURM: The percentage
of break ins is low enough for us
to take that damage. JAKE: And the
benefit of a security upgrade from
Meltdown-Spectre is worth it. So that's CORB. [MUSIC PLAYING] SURM: (SINGING) Cut my
podcast into pieces! [LAUGHTER] JAKE: (SINGING) Cut
my life into pizzas. This is my second course. Right.
