Reland "Initial implementation of Opaque Response Blocking (ORB)."
This reverts commit 8e6a8c80 (i.e. relands commit 8b9ef5d8). This CL implements most of the Opaque Response Blocking (ORB) algorithm from https://github.com/annevk/orb. Major exceptions: 1) One of last steps in ORB asks to sniff the whole response body to confirm whether the response contains valid Javascript. ORB's algorithm results in the most correct and secure behavior, but requires more work to implement. For now Chromium's implementation determines `is_surely_not_javascript` by sniffing the first 1024 bytes with CORB's confirmation sniffers (see IsSensitiveHtmlXmlOrJson). This approximates ORB's behavior and improves security (e.g. applying protection to HTML and XML served as application/octet-stream), although unlike full ORB the current implementation fails open rather than closed. 2) Chromium continues blocking responses by injecting an empty response body and stripping HTTP headers (rather than by injecting a network error). 3) Other differences are tracked in the "ORB v0.1 vs full ORB" section of the doc here: https://docs.google.com/document/d/1qUbE2ySi6av3arUEw5DNdFJIKKBbWGRGsXz_ew3S7HQ/edit#heading=h.mptmm5bpjtdn There are also some other minor differences that hopefully can be removed over time. Bug: 1178928 Change-Id: I2318d88960cca4615cdf85d43c56a4a462a819cc Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3418535 Reviewed-by:Charles Reis <creis@chromium.org> Reviewed-by:
Loading
Please register or sign in to comment