WebExtensions: Content Scripts should bypass CORS restrictions
As of f34437c7 extension views bypass CORS, meaning they can use fetch
and xhr
on hosts they have permissions to.
However Content Scripts are also supposed to be able to bypass CORS as per these docs: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions
XMLHttpRequest and fetch access to those origins without cross-origin restrictions (even for requests made from content scripts)
However:
-
WebKitGTK exposes no direct way of doing this.
webkit_web_view_set_cors_allowlist()
applies to the entire view not specific script worlds inside of it. From what I could tell WebKit doesn't even support this internally but I don't have Safari to test their implementation. -
For ManifestV3 this ability has been removed: https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/host_permissions
XMLHttpRequest and fetch access to those origins without cross-origin restrictions (though not for requests from content scripts, as was the case in Manifest V2).
So in the short term I think this will just be unsupported. Extensions have multiple ways for content scripts to communicate with privileged views. For now just leaving this documented here.