1

Abbreviations used:

  • CORP: Cross Origin Resource Policy
  • CORS: Cross Origin Resource Sharing
  • CORB: Cross Origin Read Blocking
  • SSCAs: speculative side-channel attacks, like Spectre

I've read this article, but I still don't understand why are cross-origin isolation and CORB/CORP both needed. Specifically:

  • If webpages can perform SSCAs without using cross-origin isolated features (like SharedArrayBuffer), which is what Chromium assumes:

    • Why is it necessary to be cross-origin isolated to have access to those features?

  • Otherwise, if webpages can't perform SSCAs without using cross-origin isolated features:

    • Why are CORB and CORP needed?

Also, since webpages can perform SSCAs using cross-origin isolated features, what is the difference between using Cross-Origin-Resource-Policy: cross-origin and Access-Control-Allow-Origin: *, since SSCAs can be used to read data just by embedding a resource and Access-Control-Allow-Origin: * isn't needed for it?

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
D. Pardal
  • 6,173
  • 1
  • 17
  • 37
  • 1
    It already is. See tainted canvas. Primarily for preventing leakage of data (memory access is an open vector). Isolating the features by domain has the added benefit of holding domains accountable for abusive use of the features (kind of like API tokens or microphone/camera activation by domain). This is probably better suited for https://security.stackexchange.com/ – user120242 Jul 18 '20 at 18:12
  • You might consider asking this on the `public-webappsec@w3.org` mailing list https://lists.w3.org/Archives/Public/public-webappsec/, where the spec editors themselves can answer. (And then based on the answers you get there, you could add a self answer for this — here or after re-posting to https://security.stackexchange.com/). – sideshowbarker Jul 20 '20 at 22:20

0 Answers0