Home

CORB: How does a web dev allow cross-origin JSON reads from a trusted source?

%3CLINGO-SUB%20id%3D%22lingo-sub-906459%22%20slang%3D%22en-US%22%3ECORB%3A%20How%20does%20a%20web%20dev%20allow%20cross-origin%20JSON%20reads%20from%20a%20trusted%20source%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-906459%22%20slang%3D%22en-US%22%3E%3CP%3E%5BDisclaimer%20-%20%3CEM%3EI'm%20way%20out%20of%20my%20depth%20when%20it%20comes%20to%20the%20more%20esoteric%20bits%20of%20Internet%20security%20and%20I%20don't%20pretend%20to%20know%20what%20I'm%20talking%20about%3C%2FEM%3E%20%3B)%5D%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3EDev%2C%20currently%2079.0.294.1%3C%2FEM%3E%3C%2FP%3E%3CP%3EAt%20%3CA%20title%3D%22Microsoft%20Community%22%20href%3D%22https%3A%2F%2Fanswers.microsoft.com%2Fen-us%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eanswers.microsoft.com%3C%2FA%3E%2C%20I%20see%208-15%20calls%20to%20web.vortex.data.microsoft.com%20blocked%20by%20%3CA%20title%3D%22Cross-Origin%20Read%20Block%22%20href%3D%22https%3A%2F%2Fwww.chromestatus.com%2Ffeature%2F5629709824032768%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ECORB%3C%2FA%3E%26nbsp%3Bon%20every%20page%20load.%20Each%20call%20(many%20of%20them%20concurrent)%20takes%200.5-5.0s%20only%20to%20end%20with%20no%20response%2C%20so%20I%20won't%20believe%20that%20this%20isn't%20affecting%20site%20performance.%20And%20presumably%20the%20lack%20of%20response%20means%20that%20whatever%20the%20calls'%20purpose%2C%20they%20are%20not%20providing%20the%20data%20the%20site%20wants.%20I%20have%20pointed%20this%20out%20to%20the%20site%20engineers%2C%20whose%20reaction%20was%20to%20point%20me%20to%20old%20articles%20about%20CORS%20blocking%20in%20IE.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThere%20must%20be%20a%20way%20for%20them%20to%20specify%20that%20these%20calls%20can%20be%20trusted.%20Is%20there%20anything%20I%20can%20do%20in%20the%20browser%2C%20or%20anything%20I%20might%20suggest%20to%20the%20web%20devs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIllustration%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-left%22%20style%3D%22width%3A%20960px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F136888i3F1132C722C41950%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22MC-CORB.png%22%20title%3D%22MC-CORB.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-920965%22%20slang%3D%22en-US%22%3ERe%3A%20CORB%3A%20How%20does%20a%20web%20dev%20allow%20cross-origin%20JSON%20reads%20from%20a%20trusted%20source%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-920965%22%20slang%3D%22en-US%22%3E%3CP%3EVortex%20is%20one%20of%20our%20telemetry%20collection%20servers.%26nbsp%3B%20It%20may%20be%20that%20your%20ad%20blocking%20tracker%20blocking%20may%20be%20preventing%20these%20from%20completing.%26nbsp%3B%20We%20use%20Vortex%20on%20the%20Insider%20pages%20to%20track%20things%20like%20which%20highlights%20are%20most%20popular%2C%20and%20I%20am%20guessing%20that%20the%20Answers%20site%20is%20doing%20something%20similar.%26nbsp%3B%20Thanks%20-%20Elliot%3C%2FP%3E%3C%2FLINGO-BODY%3E
Noel Burgess
Contributor

[Disclaimer - I'm way out of my depth when it comes to the more esoteric bits of Internet security and I don't pretend to know what I'm talking about ;)]

 

Dev, currently 79.0.294.1

At answers.microsoft.com, I see 8-15 calls to web.vortex.data.microsoft.com blocked by CORB on every page load. Each call (many of them concurrent) takes 0.5-5.0s only to end with no response, so I won't believe that this isn't affecting site performance. And presumably the lack of response means that whatever the calls' purpose, they are not providing the data the site wants. I have pointed this out to the site engineers, whose reaction was to point me to old articles about CORS blocking in IE.

 

There must be a way for them to specify that these calls can be trusted. Is there anything I can do in the browser, or anything I might suggest to the web devs?

 

Illustration:

 

MC-CORB.png

 

 

1 Reply
Highlighted

Vortex is one of our telemetry collection servers.  It may be that your ad blocking tracker blocking may be preventing these from completing.  We use Vortex on the Insider pages to track things like which highlights are most popular, and I am guessing that the Answers site is doing something similar.  Thanks - Elliot