I'm trying to fetch html file located at url https://sub.app.test/html from https://app.test using no-cors mode but the response is blocked by CORB (cross-origin read blocking).
fetch('https://sub.app.test/html', { mode: 'no-cors'})
Why?
Asked
Active
Viewed 1,264 times
1
marzelin
- 10,790
- 2
- 30
- 49
-
Even if you didn’t run into any CORB problem, specifying 'no-cors' mode will block your frontend JavaScript code from accessing the response body or response headers at all. For details, see the answers at https://stackoverflow.com/questions/43262121/trying-to-use-fetch-and-pass-in-mode-no-cors/43268098#43268098 and https://stackoverflow.com/a/43319482/441757 – sideshowbarker Feb 28 '19 at 10:20
-
@sideshowbarker yes, I'm aware that `no-cors` responses are usable only as a source for sivaleio elements since they aren't limited by SOP – marzelin Feb 28 '19 at 11:36
1 Answers
5
Even though no-cors mode is used (so the response doesn't need to have Access-Control-Allow-Origin to be allowed) the request is blocked by CORB because an html content is considered a data resource (it may contain sensitive data). Any resource that has MIME type text/html (and html is sniffed in response body or X-Content-Type-Options: nosniff is set) will be blocked by CORB so that sensitive data cannot be leaked using speculative side-channel attacks like Spectre vulnerabilities (the resource won't be added to the site renderer's memory).
There are a few ways to bypass this constraint:
- serve the resource from the same origin (
app.test) - use
corsmode (server needs to add correctAccess-Controlheader) - change MIME type to something other than
text/htmlor don't set the header at all (hacky)
read more:
marzelin
- 10,790
- 2
- 30
- 49