Home

CORB: How does a web dev allow cross-origin JSON reads from a trusted source?

%3CLINGO-SUB%20id%3D%22lingo-sub-906459%22%20slang%3D%22en-US%22%3ECORB%3A%20How%20does%20a%20web%20dev%20allow%20cross-origin%20JSON%20reads%20from%20a%20trusted%20source%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-906459%22%20slang%3D%22en-US%22%3E%3CP%3E%5BDisclaimer%20-%20%3CEM%3EI'm%20way%20out%20of%20my%20depth%20when%20it%20comes%20to%20the%20more%20esoteric%20bits%20of%20Internet%20security%20and%20I%20don't%20pretend%20to%20know%20what%20I'm%20talking%20about%3C%2FEM%3E%20%3B)%5D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EDev%2C%20currently%2079.0.294.1%3C%2FEM%3E%3C%2FP%3E%3CP%3EAt%20%3CA%20title%3D%22Microsoft%20Community%22%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eanswers.microsoft.com%3C%2FA%3E%2C%20I%20see%208-15%20calls%20to%20web.vortex.data.microsoft.com%20blocked%20by%20%3CA%20title%3D%22Cross-Origin%20Read%20Block%22%20href%3D%22https%3A%2F%2Fwww.chromestatus.com%2Ffeature%2F5629709824032768%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECORB%3C%2FA%3E%26nbsp%3Bon%20every%20page%20load.%20Each%20call%20(many%20of%20them%20concurrent)%20takes%200.5-5.0s%20only%20to%20end%20with%20no%20response%2C%20so%20I%20won't%20believe%20that%20this%20isn't%20affecting%20site%20performance.%20And%20presumably%20the%20lack%20of%20response%20means%20that%20whatever%20the%20calls'%20purpose%2C%20they%20are%20not%20providing%20the%20data%20the%20site%20wants.%20I%20have%20pointed%20this%20out%20to%20the%20site%20engineers%2C%20whose%20reaction%20was%20to%20point%20me%20to%20old%20articles%20about%20CORS%20blocking%20in%20IE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20must%20be%20a%20way%20for%20them%20to%20specify%20that%20these%20calls%20can%20be%20trusted.%20Is%20there%20anything%20I%20can%20do%20in%20the%20browser%2C%20or%20anything%20I%20might%20suggest%20to%20the%20web%20devs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIllustration%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20960px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F136888i3F1132C722C41950%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MC-CORB.png%22%20title%3D%22MC-CORB.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-920965%22%20slang%3D%22en-US%22%3ERe%3A%20CORB%3A%20How%20does%20a%20web%20dev%20allow%20cross-origin%20JSON%20reads%20from%20a%20trusted%20source%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-920965%22%20slang%3D%22en-US%22%3E%3CP%3EVortex%20is%20one%20of%20our%20telemetry%20collection%20servers.%26nbsp%3B%20It%20may%20be%20that%20your%20ad%20blocking%20tracker%20blocking%20may%20be%20preventing%20these%20from%20completing.%26nbsp%3B%20We%20use%20Vortex%20on%20the%20Insider%20pages%20to%20track%20things%20like%20which%20highlights%20are%20most%20popular%2C%20and%20I%20am%20guessing%20that%20the%20Answers%20site%20is%20doing%20something%20similar.%26nbsp%3B%20Thanks%20-%20Elliot%3C%2FP%3E%3C%2FLINGO-BODY%3E
Noel Burgess
Contributor

[Disclaimer - I'm way out of my depth when it comes to the more esoteric bits of Internet security and I don't pretend to know what I'm talking about ;)]

 

Dev, currently 79.0.294.1

At answers.microsoft.com, I see 8-15 calls to web.vortex.data.microsoft.com blocked by CORB on every page load. Each call (many of them concurrent) takes 0.5-5.0s only to end with no response, so I won't believe that this isn't affecting site performance. And presumably the lack of response means that whatever the calls' purpose, they are not providing the data the site wants. I have pointed this out to the site engineers, whose reaction was to point me to old articles about CORS blocking in IE.

 

There must be a way for them to specify that these calls can be trusted. Is there anything I can do in the browser, or anything I might suggest to the web devs?

 

Illustration:

 

MC-CORB.png

 

 

1 Reply
Highlighted

Vortex is one of our telemetry collection servers.  It may be that your ad blocking tracker blocking may be preventing these from completing.  We use Vortex on the Insider pages to track things like which highlights are most popular, and I am guessing that the Answers site is doing something similar.  Thanks - Elliot

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies