onHeadersReceived does not work in mv3

lakedai · May 12, 2023, 4:38am

hi,
I have an extension that need bypass cors with credentials in mv3. And I try use webRequest.onHeadersReceived.addListener to change responseHeaders. After testing, I find the onHeadersReceived works in mv2 but not work in mv3, with exactly the same code. The listener does run but the responseHeaders was not changed.
Do i miss something?
in mv2:
“manifest_version”: 2
, “background”: {
“scripts”: [“js/bg.js”]
}
, “permissions”: [
“webRequest”
, “webRequestBlocking”
, “\u003Call_urls>”
]
in mv3:
“manifest_version”: 3
, “background”: {
“scripts”: [“js/bg.js”]
}
, “permissions”: [
“webRequest”
, “webRequestBlocking”
]
, “host_permissions”: [
“\u003Call_urls>”
]

lakedai · May 13, 2023, 7:06am

By reading the firefox source code, I have got the answer!

in WebRequest.jsm:
...
// Response HTTP Headers matching the following patterns are restricted for changes
// applied by MV3 extensions.
const MV3_RESTRICTED_HEADERS_PATTERNS = [
     /^cross-origin-embedder-policy$/,
     /^cross-origin-opener-policy$/,
     /^cross-origin-resource-policy$/,
     /^x-frame-options$/,
     /^access-control-/,
];
...
isResponseHeaderRestricted(lowerCaseHeaderName) {
     return MV3_RESTRICTED_HEADERS_PATTERNS.some(regex =>
          regex.test(lowerCaseHeaderName)
     );
}
...
} else if (
     opts.policy.manifestVersion > 2 && this.isResponseHeaderRestricted(lowerCaseName)
) {
     // TODO (Bug 1787155 and Bug 1273281) open this up to MV3 extensions,
     // locked behind manifest.json declarative permission and a separate
     // explicit user-controlled permission (and ideally also check for
     // changes that would lead to security downgrades).
     Cu.reportError(
         Disallowed change restricted response header ${name} on ${this.channel.finalURL} from ${opts.policy.debugName}
     );
     return;
}

In the above code, all access-control-allow-* headers changes in webRequest.onHeadersReceived event listener were refused in MV3(MV2 not infuenced). And that was because Bug 1787155 and Bug 1273281.

In Bug 1787155, It said, ’ We are restricting the ability to modify security-sensitive HTTP headers by extensions ([bug 1785821] and [bug 1786919], to prevent extensions from downgrading the security of the websites that a user is visiting. ’

So, for security reason, those headers would not be changed by extensions in MV3. As a result, all extensions of bypass CORS and content blocker(eg. CORS everywhere, uBlock) will be died in MV3.

Besides, this restriction was not mentioned in mozilla docs.