Can not use cross-origin requests from an MV3 addon background script on Nightly v102

Hi,

I just tried to check if I can port one of my extensions to MV3 using this guide, and it seems that I can not use cross-origin requests from the background script in any way.
A sample repo of a stub addon is located here. It has permission for all urls (neither “<all_urls>”, nor ", “*://*/*” works) and tries to fetch https://gutenberg.org but fails with the following error: “Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://gutenberg.org/. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 200.

The request contains “Origin” header with moz-extension://<extension id> URL. It is not possible to remove this header even using blocking web requests API, which was possible in MV2. “connect-src http://* https://*” in addon CORS settings also does not help.

Haven’t found any bugs on bugzilla. Are cross-origin requests forbidden in MV3?

Thanks for testing our dev preview of MV3. The issue is about host permissions, in MV3, they’re not granted automatically on install, but instead user needs to grant them at some point.

Depending on what’s appropriate for your extension, you could ask the user using promise.request(), or they can grant it by going to about:addons, selecting your addon, and flipping the toggle in the permissions tab.

We’re also working on an easier UI to do this, tied to your extension browser action, but that’s not final yet.

Thanks for pointing out that this is not clear from the migration guide, I’ll see to update that this week.