I asked the same question on Stack Overflow, but I got no answers and I was suggested to ask it here.
- CORP: Cross Origin Resource Policy
- CORS: Cross Origin Resource Sharing
- CORB: Cross Origin Read Blocking
- SSCAs: speculative side-channel attacks, like Spectre
I’ve read this article, but I still don’t understand why are cross-origin isolation and CORB/CORP both needed. Specifically:
- If webpages can perform SSCAs without using cross-origin isolated features (like
SharedArrayBuffer), which I think is what Chromium assumes, then why is it necessary to be cross-origin isolated to have access to those features?
- Otherwise, if webpages can’t perform SSCAs without using cross-origin isolated features, then why are CORB and CORP needed?
Also, since webpages can perform SSCAs using cross-origin isolated features, what is the difference between using
Cross-Origin-Resource-Policy: cross-origin and
Access-Control-Allow-Origin: *, since SSCAs can be used to read data just by embedding a resource and
Access-Control-Allow-Origin: * isn’t needed for it?