New Feature: CORS for extension content scripts | Manifest V3 next phase

HotCakeX · ‎Apr 06 2020

It's behind a flag: edge://flags/#cors-for-content-scripts

CORS for content scripts

Prevent content scripts of Extensions from bypassing CORS. – Mac, Windows

Microsoft Edge Version 83.0.477.0 (Official build) canary (64-bit)

Overview

When web pages request cross-origin data with fetch or XHR APIs, the response is denied unless CORS headers allow it. In contrast, extension content scripts have traditionally been able to fetch cross-origin data from any origins listed in their extension's permissions, regardless of the origin that the content script is running within. As part of a broader Extension Manifest V3 effort to improve extension security, privacy, and performance, these cross-origin requests in content scripts will soon be disallowed. Instead, content scripts will be subject to the same request rules as the page they are running within. Extension pages, such as background pages, popups, or options pages, are unaffected by this change and will continue to be allowed to bypass CORS for cross-origin requests as they do today.

https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

FNM-Luke · ‎Jul 10 2023

Background Scripts are now getting blocked from making CORS requests, they should be able to make these requests.

This works as expected in Chrome (background script CORS requests are not blocked), but Edge didn't seem to get the memo.

@HotCakeX

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

New Feature: CORS for extension content scripts | Manifest V3 next phase

New Feature: CORS for extension content scripts | Manifest V3 next phase

CORS for content scripts

Re: New Feature: CORS for extension content scripts | Manifest V3 next phase