CORB - HTTP203

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
JAKE: I was in a meeting yesterday. Paul Lewis was there. He did an amazing mixed metaphor. Something like, you know, we don't want to rock the boat til it's in the bag. And it's like, don't put boats in bags. Like, I can't-- [MUSIC PLAYING] SURM: So. JAKE: So the topic I am putting on the conveyor belt is CORB. SURM: CORB. JAKE: CORB. [LAUGHTER] This is-- SURM: The Swedish chef, CORB. JAKE: CORB, CORB, CORB. This is Cross-Origin Read Blocking. And I always want to say resource, but it's read. I've got it written there. SURM: Did it used to be Resource Blocking, it renamed to Read Blocking? JAKE: I don't know. CORS is-- BOTH: Cross-Origin Resource-- JAKE: Sharing. [LAUGHTER] SURM: What is the S in CORS? JAKE: Let's say sharing. Security? No. It's not Security. It's Sharing. Let's say Sharing. It's Sharing. Now, this is a new behavior in the Fetch Spec that was sort of added by some Chrome folks. And it's kind of to do with Meltdown and Spectre. SURM: Oh, is that where we had the cool headline that because of mother inspector, Chrome uses more ram now? JAKE: Oh, yeah. Well it's not to do with this exactly. But yes, that has been a problem with it. But the more memory thing, that's more to site isolation. SURM: Oh, I thought it was part of site isolation. Interesting. See? I learned something. JAKE: It's sort of to do with it. SURM: In case that you don't know, I wrote an article on site isolation. I will link to it in the description. JAKE: Oh, did you? SURM: I think so. [LAUGHTER] I think I had three weeks of security reviews on it. Because it was-- JAKE: Oh, that's right. Yes. Back in the-- yes, of course you did. SURM: Back in the day, when it was announced. JAKE: When it was-- yes. So we'll add that in. Yes. And isolation is-- Chrome has been putting tabs in different processes since version 1. We were the first to do that, I think. But we didn't do it with IFrames. And we didn't do it-- in some cases, we didn't do it with new Windows. Like, sometimes if you were clicking-- If it was window.open, I don't think we put that in a-- well, that has the opener thing. So there were some cases where we weren't putting these things in different processes. Meltdown Spectre came along, and went we've got this problem. SURM: This is an entry point for us. JAKE: Yes. Where memory that's in the same process can-- SURM: Freefall! You can just read it if you do it right. JAKE: Yes Through a lot of trickery, and a lot of effort. SURM: I should probably be more careful about what to say about mother inspector, right? JAKE: Oh, yeah. We need to get this reviewed. SURM: Spreading more fear, uncertainty, and doubt about this is probably not the best idea. JAKE: It's a very tricky hack, but it's something that we need to be careful of. So we thought, well, oh, this thing where we are putting things in different tabs, different processes-- really good idea. But we just need to finish that work. And so we did that. And that was like OOPIFs, which was Out-Of-Process-IFrames. SURM: Oh, the OOPIFs! JAKE: OOPIFs. And so that was all part of isolation. Same with Windows. And we've done that work, and we've shipped it. More processes means more memory. Ta da! But it means more security, and that's more important. So that solves the problem of another origin's IFrame sharing a process with you and being able to potentially maybe getting at that data through Meltdown-Spectre. But we have a lot of APIs on the web that let you read data from another origin. With the other origin's cookies. And have it do things on your page. SURM: Script tag includes. JAKE: Script tag. SURM: Images. JAKE: Images. Video-audio. SURM: Style sheets? JAKE: Style sheets. SURM: Style sheets. JAKE: Correct. Yeah. Lots of stuff. Those are the main ones. SURM: And this is bypassing CORS, right? This is just like, do a request. But you can't read it, in terms of like, Java could read it byte by byte. But it's just going to get incorporated into the page, one way or the other. JAKE: Exactly. And so the danger is, if you have this image tag, we'll say, pointing at Facebook.com. It's going to load that data in, and it's going to have an image decode error. But that data does go into the process. SURM: It's in the memory. JAKE: It's in the memory. SURM: Because it had to be there to get [INAUDIBLE].. And then the browser can determine, this is actually an image, mate. JAKE: Yes. And it's the same for-- I mean, the Fetch API lets you do no-cause fetches. So that's number one. And them same with script tags and everything. Even if it fails to load because it's the wrong type, it has still gone into that process. So that is what CORB is all about. The way it works is, if it's a no-cause fetch kind of origin, the data comes back. And what it does is it tries to determine ahead of time, before it sends the data back to the API, like the image tag or whatever-- it 's like, hang on a minute. Does this seem like something that you're not going to be able to use anyway? Does it seem like something that could potentially hold private data? SURM: OK. JAKE: And it looks at MIME types right now for things like-- SURM: MIME types deducted from the file extension? JAKE: Determined from the content type header. SURM: Oh. So basically, it sends out the fetch. And gets a response out of process. Data analysis. And then decides whether the data goes into the task process or not. JAKE: Exactly. And if it's text to HTML, or if it is JSON, or if it is XML-- except for SVG-- that's when it kind of goes, this looks dangerous. This looks dodgy. I'm just going to fail. And that fetch will never go back into process. Right now, we're relying-- SURM: Even when I want to include an HTML file? JAKE: You can't include an HTML file as an image. You can't include it as scripts. These are all formats that are definitely going to fail. SURM: True. OK. I'm with you. JAKE: Right now, you need the header for strict MIME type checking. But we're going a step further, and we're experimenting with actually, rather than relying on MIME types, to sniff the data. So even if it's served as script, but it's quite clearly HTML, or quite clearly it's not an image, it's something else-- we can look at it and make a judgment call. We don't actually want this data to end up in the process. We're pretty confident this API is not going to be able to do anything with it anyway. And that's how it works. There's some weird edge cases. Like, text plain is another one of the formats that we think could have user data in. Less likely, but possible. SURM: But lots of script tags load their scripts with text plain. JAKE: Not anymore, they don't. [LAUGHTER] Because we're blocking that. No, it turns out that's not happening a lot. SURM: Interesting. I thought that-- OK. Sure. Cool. JAKE: Not across Origin, anyway. But one API that does receive a lot of text plain-- can you guess which one receives a lot of text plain? SURM: Style sheets? JAKE: It is video. Yeah. There is a load of video data out there that is served as text plain for no good reason. SURM: That is very confusing. JAKE: So there's had to be an exception for that. Like, if the response is a range response 206, then if it's text plain, fine. Whatever. SURM: Oh, look. It's cross-origin video. That sounds familiar. JAKE: Right. Yes. You thought about that before as well. So, yeah. That's CORB. People shouldn't see any difference. SURM: I was going to say, it's basically a no-op for most people. Unless you want to opt in with the MIME type checking to make it better? JAKE: Yes. And that will protect your data more against-- SURM: Or your users' data. JAKE: Absolutely. Your users' data. And you might see failures in cases where you maybe are relying on this text plain thing to be-- SURM: I mean, in the end, you want to make sure your content type pairs are correct anyway. JAKE: Yes. And we've a judgement call that it's so SURM: The percentage of break ins is low enough for us to take that damage. JAKE: And the benefit of a security upgrade from Meltdown-Spectre is worth it. So that's CORB. [MUSIC PLAYING] SURM: (SINGING) Cut my podcast into pieces! [LAUGHTER] JAKE: (SINGING) Cut my life into pizzas. This is my second course. Right.
Info
Channel: Google Chrome Developers
Views: 14,657
Rating: 4.8232045 out of 5
Keywords: CORB, Cross origin read blocking, corb web, corb web developers, meltdown and spectre, site isolation, OOPIFs, OOPIF, out of process iframes, iframes, cross origin loads, resource loads, cross origin, cross domain resource loads, cross domain, chrome security, web security, data protection, web data security, website security, data privacy, secure web, javascript corb, fetch issues, corb and web compatibility, web, chrome, google chrome, web developers, GDS: Yes;
Id: _5rX6pt0A_k
Channel Id: undefined
Length: 8min 22sec (502 seconds)
Published: Tue Aug 21 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.