annevk/orb

Issues

• Could someone explain the actual tangible security implication of a browser without CORB and ORB?

  #44 opened 6 months ago by markg85
  10

• HLS manifest is fetched across origins

  #29 opened 3 years ago by annevk
  12

• Blocking JSON breaks web compat

  #43 opened a year ago by farre
  3

• It's unclear how multipart/x-mixed-replace should be handled

  #42 opened a year ago by farre
  3

• Avoid ORB checks for navigator.sendBeacon

  #41 opened a year ago by zcorpan
  2

• ORB uses `audio-or-video-type-pattern-matching-algorithm` in an indeterministic way.

  #40 opened 2 years ago by farre
  1

• It is unclear if blocking no-cors is web-compatible

  #39 opened 2 years ago by smaug----
  8

• Clarify the behaviour of Javascript Validation when we are waiting for the full body

  #38 opened 2 years ago by sefeng211
  1

• Graceful fallback for future image types

  #3 opened 4 years ago by anforowicz
  47

• It is unclear when "To determine whether to allow response response to a request request, run these steps" runs.

  #35 opened 2 years ago by smaug----
  3

• Authentication Request and 401 response code

  #37 opened 2 years ago by sefeng211
  1

• How to decode potential JavaScript

  #7 opened 4 years ago by annevk
  6

• Do JavaScript parser implementations conform to ParseText(text, Script)

  #34 opened 2 years ago by annevk
  5

• embed/object

  #5 opened 2 years ago by annevk
  7

• Consider an alternative strategy for media that does not rely on media elements directly

  #33 opened 3 years ago by anforowicz
  8

• Should ORB block application/javascript with either JSON or JS-parser-breakers

  #30 opened 3 years ago by anforowicz
  6

• No size limit

  #22 opened 4 years ago by MattMenke2
  10

• Stricter filter for responses without MIME type

  #28 opened 3 years ago by annevk
  0

• Blocklist based on sniffing

  #27 opened 3 years ago by annevk
  0

• Should ORB block application/signed-exchange responses

  #32 opened 3 years ago by anforowicz
  1

• Consider explicitly handling "application/dash+xml" MIME type

  #20 opened 3 years ago by anforowicz
  4

• Restrict opaque-safelisted requesters set more?

  #4 opened 3 years ago by annevk
  4

• JSON vs Javascript lists

  #2 opened 3 years ago by anforowicz
  1

• Limit performance impact by restricting Javascript sniffing/parsing to "script" destinations

  #25 opened 3 years ago by anforowicz
  3

• Impact on streaming responses

  #24 opened 3 years ago by anforowicz
  2

• Restrict fetch(..., { mode: "no-cors" }) more

  #18 opened 4 years ago by annevk
  0

• Could be stricter on safelisted CSS and JS MIME types

  #12 opened 4 years ago by annevk
  0

• Incentives against using `text/javascript` almost everywhere

  #19 opened 4 years ago by anforowicz
  1

• Ambiguity in spec around how much of body is parsed as JS/JSON

  #21 opened 3 years ago by MattMenke2
  2

• Take into account the Chromium's never-sniff MIME types

  #10 opened 4 years ago by annevk
  1

• Can be stricter when mimeType is failure and nosniff is true

  #9 opened 4 years ago by annevk
  0

• Incorperate more blocking before parsing as JavaScript

  #6 opened 4 years ago by annevk
  0