Jim Nielsen’s Blog
Preferences
Theme: This feature requires JavaScript as well as the default site fidelity (see below).

CORS, CORB, CORP, COOP, COEP, C…

You’ve probably heard of CORS, but did you know about CORB, CORP, COOP, or COEP?

I recently watched “A Hipster History of CORS”, a talk from Strange Loop 2022 by Devdatta Akhawe, Head of Security at Figma. Devdatta does a great job of taking a complex, even boring, subject like CORS and weaves it into a funny, interesting narrative history. He connected many previously disparate dots in my head, making me go “Ah-ha! That’s why things are the way they are on the web.”

For example, when working on my Readlists project, I ran into an issue where I couldn’t use JavaScript to read the contents of an image fetched from a third-party website. I couldn’t understand why there was a limitation there. “I fetch images all the time with <img src="..."> but I guess JavaScript’s not gonna let me?”

After Devdatta’s talk and an introduction to cross origin read blocking (CORB) I now understand better.

[attacker.com can ask for mail.google.com] as an image. The browser doesn’t know that's not an image. For the browser, everything is a URI. So the browser [fill fetch it] and say “here’s mail.google.com (and everything in the body)” and the attacker.com process can just read everything in it.

It’s a great story condensed into a thirty minute talk. Thank you Devdatta!