What does "ERR_BLOCKED_BY_ORB" mean?
What does "ERR_BLOCKED_BY_ORB" mean?
`ERR_BLOCKED_BY_ORB` is an error message you might see in the developer console of Chromium-based browsers (like Google Chrome, Microsoft Edge, Brave, etc.). It stands for **Error: Blocked by Opaque Response Blocking**. Here's what it means and why it happens: 1. **Security Feature:** ORB is a security mechanism designed to protect against certain types of cross-site scripting (XSS) and information leakage attacks (like Spectre side-channel attacks). 2. **Cross-Origin Protection:** It specifically targets **cross-origin** resource requests. This means a web page from `domain-a.com` trying to load a resource (like an image, script, or stylesheet) from `domain-b.com`. 3. **Context and Content-Type Mismatch:** The core idea of ORB is to prevent a resource with a sensitive MIME type (like HTML, JSON, XML) from being loaded into a context where it shouldn't be executed but could potentially be read by malicious code. * For example, imagine a malicious script trying to load sensitive JSON data from another site using an `<img>` tag. The browser wouldn't *render* the JSON as an image, but older vulnerabilities might have allowed the script to inspect the data loaded into memory. 4. **How it Works:** * When your browser makes a cross-origin request for a resource needed by certain HTML tags (like `<script>`, `<img>`, `<link rel="stylesheet">`, etc.)... * ...it checks the `Content-Type` header of the response *before* passing the data to the part of the browser that renders the page (the renderer process). * If the `Content-Type` indicates a format that is **not** appropriate for the requesting tag/context (e.g., `text/html`, `application/json`, `text/xml` requested by an `<img>` tag) and is considered potentially sensitive (i.e., not a standard image, script, or CSS format expected by that tag), ORB steps in. * ORB **blocks** the response body, replacing it with an empty one, preventing the potentially sensitive data from ever reaching the renderer process where it could be attacked. * The `ERR_BLOCKED_BY_ORB` message is logged to the console to indicate this blocking action occurred. **Common Causes:** * **Incorrect `Content-Type` Header:** The server hosting the resource is sending the wrong `Content-Type` header. For example, serving a JavaScript file with `Content-Type: text/html`. * **Requesting Resource in Wrong Context:** Your web page is trying to load a resource using an inappropriate HTML tag. For example, trying to load an HTML page or JSON data via an `<img>` or `<script>` tag when it wasn't intended for that. * **Server Misconfiguration:** Sometimes related to CORS (Cross-Origin Resource Sharing) misconfigurations, although ORB acts *after* a CORS check might have passed. The server might also be missing the `X-Content-Type-Options: nosniff` header, which can sometimes interact with how browsers handle MIME types, though ORB aims to be effective even without `nosniff`. **In summary:** `ERR_BLOCKED_BY_ORB` means the browser proactively blocked a cross-origin response because its content type wasn't safe or appropriate for the context in which it was requested. It's a security measure preventing potential data leaks. To fix it, you usually need to ensure the server sends the correct `Content-Type` header for the resource or ensure your web page is requesting the resource using the correct mechanism/tag.
Testing if the previous output contains the string opaque resource blocking: False