If you're interested in cross origin information leaks and defenses against them (including Cross Origin Read Blocking), I highly recommend this short 7 page summary by Artur Janc and Mike West from Google:
Will we be able to report errors using the upcoming report-to header?
I didn't see a report mechanism listed, but like with hpkp and cors I would like those errors to.be reporteable
The risk is via side channel attacks like Spectre. Even if the script fails to execute (since it's html and not javascript), the html document has been loaded into the memory of the process which included the script tag, which can now start reading that memory via side channel attacks.
No, it sees the content type in the headers that are at the start of the response. Presumably if that header isn't correct it'll stop downloading any further data.
9 comments
[ 0.33 ms ] story [ 29.4 ms ] threadhttps://www.arturjanc.com/cross-origin-infoleaks.pdf
https://www.idontplaydarts.com/2015/09/cross-domain-timing-a...