Getting CORB warnings in Chrome

I’ve recently started getting CORB warnings in Chrome. Here are the logs:

xhr.js:178 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://my.api.mockaroo.com/collection/5?key=0000000 with MIME type text/plain. See https://www.chromestatus.com/feature/5629709824032768 for more details.

From the Chrome page:

Cross-Origin Read Blocking (CORB)

Security

Cross-Origin Read Blocking (CORB) is an algorithm that can identify and block dubious cross-origin resource loads in web browsers before they reach the web page. CORB reduces the risk of leaking sensitive data by keeping it further from cross-origin web pages. In most browsers, it keeps such data out of untrusted script execution contexts. In browsers with Site Isolation, it can keep such data out of untrusted renderer processes entirely, helping even against side channel attacks like Spectre.

Comments
Web developers can learn more about how CORB affects their sites at https://www.chromium.org/Home/chromium-security/corb-for-developers.

Chrome 73 changes to cross-origin requests in chrome extension content scripts are described at https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

Demo
https://anforowicz.github.io/xsdb-demo/index.html
Documentation
https://chromium.googlesource.com/chromium/src/+/master/services/network/cross_origin_read_blocking_explainer.md
https://www.chromium.org/Home/chromium-security/corb-for-developers
https://github.com/whatwg/fetch/issues/681

I’ve pushed an update that returns the content-type based on the schema’s output format. Previously it was always returning application/json. Hopefully that will fix the issue.

1 Like