Yes and yes. I typed the first part without my glasses and copied the second one. For reference I corrected it above.
Regarding host permission:
Yes, one does indeed need it (<all_urls>
is the easiest way to test it). Here is why:
- https://developers.google.com/web/ilt/pwa/working-with-the-fetch-api#cross-origin_requests
- having a host permission for the target drops that cross-origin restriction (and CORS would actually be another way around it, if it is supported by the server)