CORB Leaks
October 1, 2020
Cross-Origin Read Blocking (CORB) is a web platform security feature aimed at reducing the impact of speculative side-channel attacks such as Spectre. Unfortunately, blocking certain types of requests introduced a new type of XS-Leaks 1 that allows attackers to detect if CORB was enforced on one request, but wasn’t on another. Nevertheless, the introduced XS-Leaks are much less problematic than the issues actively protected by CORB (e.g. Spectre).
info
This is a known issue in Chromium, and while it might remain unfixed, its impact is greatly reduced by the rollout of SameSite Cookies by default in Chromium-based browsers.
CORB & Error Events #
Attackers can observe when CORB is enforced if a response returns a CORB protected Content-Type (and nosniff) with the status code 2xx which results in CORB stripping the body and headers from the response. Detecting this protection allows an attacker to leak the combination of both the status code (success vs. error) and the Content-Type (protected by CORB or not). This allows the distinction of two possible states as shown in these examples:
- One state results in a request being protected by CORB and the second state in a client error (404).
- One state is protected by CORB and the second state is not.
The following steps allow abusing this protection in the context of the first example:
- An attacker can embed a cross-origin resource in a
scripttag which returns200 OKwithtext/htmlasContent-Typeand anosniffHeader. - To protect sensitive contents from entering the attacker’s process,
CORBwill replace the original response with an empty one. - Since an empty response is valid JavaScript, the
onerrorevent won’t be fired,onloadwill fire instead. - The attacker triggers a second request (corresponding to a second state), similar to 1., which returns something other than
200 OK. Theonerrorevent will fire.
The interesting behavior is that CORB creates a valid resource out of the request which could contain something other than JavaScript (causing an error). Considering a non-CORB environment, both 1. and 4. requests would trigger an error. This introduces an XS-Leak as these situations are now distinguishable.
Detecting the nosniff Header
#
CORB can also allow attackers to detect when the nosniff header is present in the request. This problem originated due to the fact that CORB is only enforced depending on the presence of this header and some sniffing algorithms. The example below shows two distinguishable states:
- CORB will prevent an attacker page which embeds a resource as a
scriptif the resource is served withtext/htmlasContent-Typealong with thenosniffheader. - If the resource does not set
nosniffand CORB fails to infer theContent-Typeof the page (which remainstext/html), aSyntaxErrorwill be fired since the contents can’t be parsed as valid JavaScript. This error can be caught by listening towindow.onerrorasscripttags only trigger error events under certain conditions. Run demo
Defense #
| SameSite Cookies (Lax) | COOP | Framing Protections | Isolation Policies |
|---|---|---|---|
| ✔️ | ❌ | ❌ | RIP 🔗 NIP |
🔗 – Defense mechanisms must be combined to be effective against different scenarios.
tip
Developers can deploy CORP in an application’s subresources to force a protection similar to CORB that does not inspect responses to decide when to act. To prevent attackers from abusing this XS-Leak, generic XS-Leaks defense mechanisms are also effective.