Initial implementation of Opaque Response Blocking (ORB).
This CL implements most of the Opaque Response Blocking (ORB) algorithm from https://github.com/annevk/orb. Major exceptions: 1) One of last steps in ORB asks to sniff the whole response body to confirm whether the response contains valid Javascript. ORB's algorithm results in the most correct and secure behavior, but requires more work to implement. For now Chromium's implementation determines `is_surely_not_javascript` by sniffing the first 1024 bytes with CORB's confirmation sniffers (see IsSensitiveHtmlXmlOrJson). This approximates ORB's behavior and improves security (e.g. applying protection to HTML and XML served as application/octet-stream), although unlike full ORB the current implementation fails open rather than closed. 2) Chromium continues blocking responses by injecting an empty response body and stripping HTTP headers (rather than by injecting a network error). 3) Other differences are tracked in the "ORB v0.1 vs full ORB" section of the doc here: https://docs.google.com/document/d/1qUbE2ySi6av3arUEw5DNdFJIKKBbWGRGsXz_ew3S7HQ/edit#heading=h.mptmm5bpjtdn There are also some other minor differences that hopefully can be removed over time. Bug: 1178928 Change-Id: I4f018bdb75b5ff7d10233271e42476a9cc50bf2f Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3203018 Reviewed-by:Charles Reis <creis@chromium.org> Reviewed-by:
Loading
Please register or sign in to comment