New Feature: CORS for extension content scripts | Manifest V3 next phase

%3CLINGO-SUB%20id%3D%22lingo-sub-1285430%22%20slang%3D%22en-US%22%3ENew%20Feature%3A%20CORS%20for%20extension%20content%20scripts%20%7C%20Manifest%20V3%20next%20phase%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1285430%22%20slang%3D%22en-US%22%3E%3CP%3EIt's%20behind%20a%20flag%3A%26nbsp%3B%20%3CA%20href%3D%22edge%3A%2F%2Fflags%2F%23cors-for-content-scripts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Eedge%3A%2F%2Fflags%2F%23cors-for-content-scripts%3C%2FA%3E%3C%2FP%3E%3CH3%20id%3D%22toc-hId-1117719764%22%20id%3D%22toc-hId-1117723644%22%3ECORS%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Efor%20content%20scripts%3C%2FH3%3E%3CP%3EPrevent%20content%20scripts%20of%20Extensions%20from%20bypassing%20CORS.%20%E2%80%93%20Mac%2C%20Windows%3C%2FP%3E%3CP%3E%3CA%20href%3D%22edge%3A%2F%2Fflags%2F%23cors-for-content-scripts%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3E%23cors-for-content-scripts%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMicrosoft%20Edge%20Version%2083.0.477.0%20(Official%20build)%20canary%20(64-bit)%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSTRONG%3EOverview%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3EWhen%20web%20pages%20request%20cross-origin%20data%20with%20fetch%20or%20XHR%20APIs%2C%20the%20response%20is%20denied%20unless%20CORS%20headers%20allow%20it.%20In%20contrast%2C%20extension%20content%20scripts%20have%20traditionally%20been%20able%20to%20fetch%20cross-origin%20data%20from%20any%20origins%20listed%20in%20their%20extension's%20permissions%2C%20regardless%20of%20the%20origin%20that%20the%20content%20script%20is%20running%20within.%20%3CSTRONG%3EAs%20part%20of%20a%20broader%20Extension%20Manifest%20V3%3C%2FSTRONG%3E%20effort%20to%20improve%20extension%20security%2C%20privacy%2C%20and%20performance%2C%20these%20cross-origin%20requests%20in%20content%20scripts%20will%20soon%20be%20disallowed.%20Instead%2C%20content%20scripts%20will%20be%20subject%20to%20the%20same%20request%20rules%20as%20the%20page%20they%20are%20running%20within.%20Extension%20pages%2C%20such%20as%20background%20pages%2C%20popups%2C%20or%20options%20pages%2C%20are%20unaffected%20by%20this%20change%20and%20will%20continue%20to%20be%20allowed%20to%20bypass%20CORS%20for%20cross-origin%20requests%20as%20they%20do%20today.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fwww.chromium.org%2FHome%2Fchromium-security%2Fextension-content-script-fetches%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.chromium.org%2FHome%2Fchromium-security%2Fextension-content-script-fetches%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1285430%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EBrowser%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Ecanary%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECors%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EEdge%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Eextension%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Efeature%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Emanifest%20V3%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Enew%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Honored Contributor

It's behind a flag:  edge://flags/#cors-for-content-scripts

CORS for content scripts

Prevent content scripts of Extensions from bypassing CORS. – Mac, Windows

#cors-for-content-scripts

 

Microsoft Edge Version 83.0.477.0 (Official build) canary (64-bit)

 

Overview

When web pages request cross-origin data with fetch or XHR APIs, the response is denied unless CORS headers allow it. In contrast, extension content scripts have traditionally been able to fetch cross-origin data from any origins listed in their extension's permissions, regardless of the origin that the content script is running within. As part of a broader Extension Manifest V3 effort to improve extension security, privacy, and performance, these cross-origin requests in content scripts will soon be disallowed. Instead, content scripts will be subject to the same request rules as the page they are running within. Extension pages, such as background pages, popups, or options pages, are unaffected by this change and will continue to be allowed to bypass CORS for cross-origin requests as they do today.

 

https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

 

 

 

0 Replies