Demo of CORB

This page demonstrates how Cross-Origin Read Blocking (CORB) works. Please see one of the following resources for more information about CORB:

• Explainer
• Older Design document

Repro steps to trigger CORB:

1. Make sure that CORB is active
   • In Chrome M68 and later CORB is active by default - no special actions need to be taken to activate CORB.
   • In earlier versions of Chrome, CORB is either activated together with the Site Isolation feature or can be manually activated by launching Chrome with the --enable-features=CrossSiteDocumentBlockingAlways cmdline flag.
2. Open Javascript console (e.g. by pressing Ctrl-Shift-I in Chrome).
3. Press the button below to add an <img src="https://www.chromium.org/"> element that tries to sneak a cross-origin text/html document into memory of a renderer process hosting another origin.
4. Observe that CORB blocks the http response triggered by the inserted img element.
   • Whenever CORB blocks a reponse there is a DevTools console message:
     • In Chrome M66 and earlier: Blocked current origin from receiving cross-site document at https://www.chromium.org/ with MIME type text/html.
     • In Chrome M67 and later: Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.example.com/example.html with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.
   • In Chrome one can also visit chrome://histograms and observe SiteIsolation.XSD.Browser* metrics. In particular, the SiteIsolation.XSD.Browser.Action metric logs the following events: 0 - response started, 1 - blocked without sniffing, 2 - blocked after sniffing, 3 - allowed without sniffing, 4 - allowed after sniffing. Clicking the button below should increment by one the counter of "1 - blocked without sniffing" events.

Dynamic content below...