Beto's Photo

How to avoid Meltdown, Spectre and CSRF Attacks on Web with CORP, CORB, and CORS?

A brief and useful content about the mechanics on Cross-Origin Read Blocking, Cross-Origin Resource Policy and Cross-Origin Resource Sharing against Meltdown, Spectre and CSRF Attacks.


By design, Cross-Origin Read Blocking validates browser requests before they even reach the server using their MIME type as a validation rule.

To enable it, send the HTTP header X-Content-Type-Options: nosniff from the server.


Cross-Origin Resource Policy is a complementary CORB mechanism for validation applied to requests flagged with no-cors to invalidate them if they came from different domains or origin.

Send the header Cross-Origin-Resource-Policy from the server with values same-origin or same-site to invalidate no-cors requests from different domains or origin.


Cross-Origin Resource Sharing is a logical context mechanism that ensures minimal security in the way that users consume web content using browsers instructing how the browser will validate the origin of the requests.

To define rules about how the origin of the request will be identified, send the HTTP header Access-Control-Allow-Origin using values like <exact_request_origin> and even a more generic approaches using *.


Hope that now you understand a bit better why to use these Cross-Origin Resource features

Try don't disable or ignore them in your web applications. Spectre, CSRF, and Meltdown attacks are really dangerous.