TechQA.

Why are cross-origin isolation and CORB/CORP both needed?

225 views Asked by At

Abbreviations used:

  • CORP: Cross Origin Resource Policy
  • CORS: Cross Origin Resource Sharing
  • CORB: Cross Origin Read Blocking
  • SSCAs: speculative side-channel attacks, like Spectre

I've read this article, but I still don't understand why are cross-origin isolation and CORB/CORP both needed. Specifically:

  • If webpages can perform SSCAs without using cross-origin isolated features (like SharedArrayBuffer), which is what Chromium assumes:

    • Why is it necessary to be cross-origin isolated to have access to those features?

  • Otherwise, if webpages can't perform SSCAs without using cross-origin isolated features:

    • Why are CORB and CORP needed?

Also, since webpages can perform SSCAs using cross-origin isolated features, what is the difference between using Cross-Origin-Resource-Policy: cross-origin and Access-Control-Allow-Origin: *, since SSCAs can be used to read data just by embedding a resource and Access-Control-Allow-Origin: * isn't needed for it?

websecurity cross-origin-read-blocking spectre side-channel-attacks cross-origin-resource-policy
Original Q&A
0

There are 0 answers

Related Questions in WEBSECURITY

Related Questions in CROSS-ORIGIN-READ-BLOCKING

Related Questions in SPECTRE

Related Questions in SIDE-CHANNEL-ATTACKS

Related Questions in CROSS-ORIGIN-RESOURCE-POLICY

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Trending Questions