How to avoid Meltdown, Spectre and CSRF Attacks on Web with CORP, CORB, and CORS?
A brief and useful content about the mechanics on Cross-Origin Read Blocking, Cross-Origin Resource Policy and Cross-Origin Resource Sharing against Meltdown, Spectre and CSRF Attacks.
By design, Cross-Origin Read Blocking validates browser requests before they even reach the server using their MIME type as a validation rule.
To enable it, send the HTTP header
X-Content-Type-Options: nosniff from the server.
Cross-Origin Resource Policy is a complementary CORB mechanism for validation applied to requests flagged with
no-cors to invalidate them if they came from different domains or origin.
Send the header
Cross-Origin-Resource-Policy from the server with values
same-site to invalidate
no-cors requests from different domains or origin.
Cross-Origin Resource Sharing is a logical context mechanism that ensures minimal security in the way that users consume web content using browsers instructing how the browser will validate the origin of the requests.
To define rules about how the origin of the request will be identified, send the HTTP header
Access-Control-Allow-Origin using values like
<exact_request_origin> and even a more generic approaches using
Hope that now you understand a bit better why to use these Cross-Origin Resource features
Try don't disable or ignore them in your web applications. Spectre, CSRF, and Meltdown attacks are really dangerous.