Good morning,
I am developing a browser add-on for Firefox.
I would like to ask a question.
Is it possible to publish the add-on in an unlisted way, but making sure that when it is installed in the browser it always maintains the same internal UUID (which does not correspond to the add-on ID)?
If it is not possible to do this by publishing it unlisted, would it be possible to do so by publishing it in your store in a listed way?
I await your kind reply
Thank you, best regards
I assume the UUID you’re referring to would be used to uniquely identify the extension for update and installation purposes. If so, the answer is no. Firefox add-ons are uniquely identified by the add-on ID. More specifically, the "id" field in the browser_specific_settings manifest.json field.
That said, this may be an XY problem. What are you trying to accomplish? Why do you want to uniquely identify an extension using something other than the ID?
The problem is the following: I need to make some API calls to a certain domain from the add-on I developed. Due to the server CORS, I am unable to get a response from the server. The add-on is distributed throught .xpi file.
Every time the add-on is installed, the UUID changes, so also the origin changes, making impossible to put the origin path in CORS settings in the server (I don’t want to put * in CORS).
For these reasons, I need to find a way to make the origin “fixed” per every add-on installation.
I await your kind reply
Thank you, best regards
You can solve this using host permission, matching your server domain name:
The extra privileges include:
- XMLHttpRequest and fetch access to those origins without cross-origin restrictions
Hi, I had tried using the host_permissions key, but it didn’t work…this is my manifest file:
All the API calls are sent using background.js script (and not from content script in functions.js).
Can you tell me what I’m doing wrong? Thank you
When pasting code here, place triple backticks ``` on the line above and below the code, that will activate code format, which is much better than a screenshot 
.
Also, could you paste here also your fetch code?
Note that you are requesting host permission for example.org (didn’t you meant use example.com?), so this allows you to make fetch from example.org page.
Make sure to check the docs to help you create proper match pattern:
Also, be aware that adding host permission into existing extension will notify all existing users! So if your extension is already deployed, it’s better to use optional_host_permissions, and then request it at runtime.
Yes, example.org is ok.
The following is an example of fetch in my code:
function pollingPop(...) {
let successPop = false;
let responseCode = null;
let urlApi = "https://example.org/call";
let headersObj = {
"Accept": "application/json",
"Content-Type": "application/json"
};
fetch(urlApi, {
method: "POST",
headers: headersObj,
body: JSON.stringify({
attribute: "exampleName"
})
})
.then(response => {
...
})
.then(resultJSON => {
...
});
}
Please help me, thank you
Let’s try something easy to test.
For example, try to run this in the console, it should fail with 405 error (as expected)
await fetch('https://example.org/call', {
method: "POST",
headers: { "Accept": "application/json", "Content-Type": "application/json" },
body: JSON.stringify({ attribute: "exampleName" }),
})
Do you still CROS error?
Unfortunately, a “403 Invalid CORS request” is returned, as previously
What browser version are you using?
Also, open “about:addons” page, click your addon and see if it says it has access to the host you need:
My Firefox version is 131.0.3
Yes, I have access to the host I need
In that case, the only explanation is, that you are not running the fetch from the background scrip 
.
Write a console.log(location.href) before the fetch to see what file you are running?
It returns this string: moz-extension://{{INTERNAL_UUID}}/_generated_background_page.html
And the background.js is running:
Damn, I hate when things makes no sense .
Any chance you are using some other extension that can intercept and modify requests?
I’m getting out of ideas… Could you, as an experiment, add "<all_urls>" permission? That should give you access to all hosts. Just to verify that this is indeed a missing host issue.
Unfortunately it continues to give 403 error even with “<all_urls>”.
But I ask you a question… if I put a string like “moz-extension://{{ID}}” in the CORS settings of the server, where “ID” corresponds to the “id” field in the browser_specific_settings manifest.json field, would it work?
Looking at the docs, it looks like I don’t fully understand CORS after all 
.
From what I can see in my own extension, when I make a POST request, the Origin header is indeed there:
Origin: moz-extension://1a7bbb1f-0d6c-4c83-9fa2-f9a7d79a72f4
In any case, what do know is that the extension ID is changing with each installation (in Firefox, in Safari it changes on each browser start, only Chrome keeps it the same), so you shouldn’t use on the server.