I haven’t tested, but according to the documentation:
Content scripts get the same cross-domain privileges as the rest of the extension: so if the extension has requested cross-domain access for a domain using the permissions
key in manifest.json
, then its content scripts get access that domain as well.
This is accomplished by exposing more privileged XHR and fetch instances in the content script, which has the side-effect of not setting the Origin
and Referer
headers like a request from the page itself would; this is often preferable to prevent the request from revealing its cross-origin nature.
Note: In Firefox, extensions that need to perform requests that behave as if they were sent by the content itself can use content.XMLHttpRequest
and content.fetch()
instead.
Ref. https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts#xhr_and_fetch