diff --git a/fetch.bs b/fetch.bs
index 8b4adf811..275cae0e4 100644
--- a/fetch.bs
+++ b/fetch.bs
@@ -3552,61 +3552,6 @@ X-Content-Type-Options           = "nosniff" ; case-insensitive
 pertain to them. Also, considering "<code>image</code>" was not compatible with deployed content.
 
 
-<h3 id=corb>CORB</h3>
-
-<p class="note">Cross-origin read blocking, better known as CORB, is an algorithm which identifies
-dubious cross-origin resource fetches (e.g., fetches that would fail anyway like attempts to render
-JSON inside an <code>img</code> element) and blocks them before they reach a web page. CORB reduces
-the risk of leaking sensitive data by keeping it further from cross-origin web pages.
-
-<p>A <dfn>CORB-protected MIME type</dfn> is an <a>HTML MIME type</a>, a <a>JSON MIME type</a>, or an
-<a>XML MIME type</a> excluding <code>image/svg+xml</code>.
-
-<p class="note no-backref">Even without CORB, accessing the content of cross-origin resources with
-<a>CORB-protected MIME types</a> is either managed by the <a>CORS protocol</a> (e.g., in case of
-{{XMLHttpRequest}}), not observable (e.g., in case of pings or CSP reports which ignore the
-response), or would result in an error (e.g., when failing to decode an HTML document embedded in an
-<code>img</code> element as an image). This means that CORB can block
-<a>CORB-protected MIME types</a> resources without being disruptive to web pages.
-
-<p>To perform a <dfn noexport>CORB check</dfn>, given a <var>request</var> and <var>response</var>,
-run these steps:</p>
-
-<ol>
- <li>
-  <p>If <var>request</var>'s <a for=request>initiator</a> is "<code>download</code>", then return
-  <b>allowed</b>.
-
-  <p class=XXX>If we recast downloading as navigation this step can be removed.
-
- <li><p>If <var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an
- <a>HTTP(S) scheme</a>, then return <b>allowed</b>.
-
- <li><p>Let <var>mimeType</var> be the result of <a for="header list">extracting a MIME type</a>
- from <var>response</var>'s <a for=response>header list</a>.
-
- <li><p>If <var>mimeType</var> is failure, then return <b>allowed</b>.
-
- <li><p>If <var>response</var>'s <a for=response>status</a> is 206 and <var>mimeType</var> is a
- <a>CORB-protected MIME type</a>, then return <b>blocked</b>.
-
- <li>
-  <p>If <a>determine nosniff</a> with <var>response</var>'s <a for=response>header list</a> is true
-  and <var>mimeType</var> is a <a>CORB-protected MIME type</a> or its <a for="MIME type">essence</a>
-  is "<code>text/plain</code>", then return <b>blocked</b>.
-
-  <p class="note no-backref">CORB only protects <code>text/plain</code> responses with a
-  `<code>X-Content-Type-Options: nosniff</code>` header. Unfortunately, protecting such responses
-  without that header when their <a for=response>status</a> is 206 would break too many existing
-  video responses that have a <code>text/plain</code> <a for=/>MIME type</a>.
-
- <!-- TODO: MIME type confirmation sniffing -->
- <!-- TODO: JSON security prefix sniffing -->
-
- <li><p>Return <b>allowed</b>.
-</ol>
-
-
 <h3 id=cross-origin-resource-policy-header>`<code>Cross-Origin-Resource-Policy</code>` header</h3>
 
 <p>The
@@ -4125,35 +4070,19 @@ steps:
     <a>HTTP(S) scheme</a>.
     [[!HTML]] [[!SW]]
 
-   <dt><var>request</var>'s <a for=request>mode</a> is
-   "<code>same-origin</code>"
+   <dt><var>request</var>'s <a for=request>mode</a> is "<code>same-origin</code>"
    <dd><p>Return a <a>network error</a>.
 
-   <dt><var>request</var>'s <a for=request>mode</a> is
-   "<code>no-cors</code>"
+   <dt><var>request</var>'s <a for=request>mode</a> is "<code>no-cors</code>"
    <dd>
     <ol>
      <li><p>If <var>request</var>'s <a for=request>redirect mode</a> is not "<code>follow</code>",
      then return a <a>network error</a>.
 
-     <li><p>Set <var>request</var>'s
-     <a for=request>response tainting</a> to
-     "<code>opaque</code>".
+     <li><p>Set <var>request</var>'s <a for=request>response tainting</a> to "<code>opaque</code>".
 
-     <li><p>Let <var>noCorsResponse</var> be the result of running <a>scheme fetch</a> given
-     <var>fetchParams</var>.
+     <li><p>Return the result of running <a>scheme fetch</a> given <var>fetchParams</var>.
      <!-- file URLs end up here as they are not same-origin typically. -->
-
-     <li><p>If <var>noCorsResponse</var> is a <a>filtered response</a> or the <a>CORB check</a> with
-     <var>request</var> and <var>noCorsResponse</var> returns <b>allowed</b>, then return
-     <var>noCorsResponse</var>.
-
-     <li>
-      <p>Return a new <a for=/>response</a> whose <a for=response>status</a> is
-      <var>noCorsResponse</var>'s <a for=response>status</a>.
-
-      <p class="warning">This is only an effective defense against side channel attacks if
-      <var>noCorsResponse</var> is kept isolated from the process that initiated the request.
     </ol>
 
    <dt><var>request</var>'s <a for=request>current URL</a>'s <a for=url>scheme</a> is not an