New Feature: CORS for extension content scripts | Manifest V3 next phase


It's behind a flag:  edge://flags/#cors-for-content-scripts

CORS for content scripts

Prevent content scripts of Extensions from bypassing CORS. – Mac, Windows



Microsoft Edge Version 83.0.477.0 (Official build) canary (64-bit)



When web pages request cross-origin data with fetch or XHR APIs, the response is denied unless CORS headers allow it. In contrast, extension content scripts have traditionally been able to fetch cross-origin data from any origins listed in their extension's permissions, regardless of the origin that the content script is running within. As part of a broader Extension Manifest V3 effort to improve extension security, privacy, and performance, these cross-origin requests in content scripts will soon be disallowed. Instead, content scripts will be subject to the same request rules as the page they are running within. Extension pages, such as background pages, popups, or options pages, are unaffected by this change and will continue to be allowed to bypass CORS for cross-origin requests as they do today.




1 Reply

Background Scripts are now getting blocked from making CORS requests, they should be able to make these requests.

This works as expected in Chrome (background script CORS requests are not blocked), but Edge didn't seem to get the memo.