I’m looking for a way to programmatically detect (using JavaScript) whether a resource load on my page (over which I have full control) was blocked by Cross-Origin Resource Blocking.
For instance, because the response from https://example.com has Content-Type text/html; charset=UTF-8, the following HTML code would trigger a CORB error in Chromium-based browsers:
<script src="https://example.com"></script>
But how can I detect that it occurred? Simply adding a handler for the error event on the script element isn’t working; for instance, the following code doesn’t open a dialog box:
<script src="https://example.com" onerror="alert('CORB!')"></script>
Note that I’m not interested in fixing the CORB error or inspecting the contents of the CORB error; I’m only interested in detecting programmatically whether a CORB error occurred. Is that even possible?
Advertisement
Answer
I’m happy to be proven wrong but, according to what I’ve read so far, programmatically detecting whether a CORB error occurred is impossible, at least in general.
However, in some cases, you may be able to leak some information cross-origin:
Cross-Origin Read Blocking (CORB) is a web platform security feature aimed at reducing the impact of speculative side-channel attacks such as Spectre. Unfortunately, blocking certain types of requests introduced a new type of XS-Leaks that allows attackers to detect if CORB was enforced on one request, but wasn’t on another.
(source: https://xsleaks.dev/docs/attacks/browser-features/corb/)