hi,
I have an extension that need bypass cors with credentials in mv3. And I try use webRequest.onHeadersReceived.addListener to change responseHeaders. After testing, I find the onHeadersReceived works in mv2 but not work in mv3, with exactly the same code. The listener does run but the responseHeaders was not changed.
Do i miss something?
in mv2:
“manifest_version”: 2
, “background”: {
“scripts”: [“js/bg.js”]
}
, “permissions”: [
“webRequest”
, “webRequestBlocking”
, “\u003Call_urls>”
]
in mv3:
“manifest_version”: 3
, “background”: {
“scripts”: [“js/bg.js”]
}
, “permissions”: [
“webRequest”
, “webRequestBlocking”
]
, “host_permissions”: [
“\u003Call_urls>”
]
By reading the firefox source code, I have got the answer!
in WebRequest.jsm:
...
// Response HTTP Headers matching the following patterns are restricted for changes
// applied by MV3 extensions.
const MV3_RESTRICTED_HEADERS_PATTERNS = [
/^cross-origin-embedder-policy$/,
/^cross-origin-opener-policy$/,
/^cross-origin-resource-policy$/,
/^x-frame-options$/,
/^access-control-/,
];
...
isResponseHeaderRestricted(lowerCaseHeaderName) {
return MV3_RESTRICTED_HEADERS_PATTERNS.some(regex =>
regex.test(lowerCaseHeaderName)
);
}
...
} else if (
opts.policy.manifestVersion > 2 && this.isResponseHeaderRestricted(lowerCaseName)
) {
// TODO (Bug 1787155 and Bug 1273281) open this up to MV3 extensions,
// locked behind manifest.json declarative permission and a separate
// explicit user-controlled permission (and ideally also check for
// changes that would lead to security downgrades).
Cu.reportError(
Disallowed change restricted response header ${name} on ${this.channel.finalURL} from ${opts.policy.debugName}
);
return;
}
In the above code, all access-control-allow-* headers changes in webRequest.onHeadersReceived event listener were refused in MV3(MV2 not infuenced). And that was because Bug 1787155 and Bug 1273281.
In Bug 1787155, It said, ’ We are restricting the ability to modify security-sensitive HTTP headers by extensions ([bug 1785821] and [bug 1786919], to prevent extensions from downgrading the security of the websites that a user is visiting. ’
So, for security reason, those headers would not be changed by extensions in MV3. As a result, all extensions of bypass CORS and content blocker(eg. CORS everywhere, uBlock) will be died in MV3.
Besides, this restriction was not mentioned in mozilla docs.