XMLHttpRequest fail with header CORS “Access-Control-Allow-Origin” missing error

In my manifest.json I have specified the webRequest permission. However the XMLHttpRequest call that is using POST to send data is being blocked. The only way to bypass this, is by enterind the destination URL in permission. However looking at other extensions that do communicate with home server, none are listing the destination URL but rather webRequest along with other ordinary permissions, none of them list all the endpoints to be allowed to phone home.

Hello again :slight_smile:, fun stuff this CORS!

Things are pretty complicated so I would suggest you to read some docs:

That one is informative but not exactly helpful in this situation.

This one will explain host permissions in addons which helps with CORS:

And lastly this one will tell you how to use activeTab instead of host permission:

To summarize, if your server has CORS enabled (every server should have CORS enabled!), you need to have a permission for the HOST where you are making a request - it can be wild card, it can be <all_urls>, or you can use activeTab which will give you host permission for the currently opened page.

Hello, I already have activeTabs permission, yet if I dont specify an endpoint URL it gives CORS error, of course my server accept all requests, no need to login or to come from a specific IP or things like this. I also have tabs cause I may need to open a new tab, I think I read I need this permission.

The activeTab works only in a certain situations, see the docs:

in short, in my case I need to enter my endpoint in permission. I don’t understand how other extensions could phone home without that.

Can you paste here some example extension? I’m sure there is a simple explanation :slight_smile:

I had to add permission “<all_urls>” go get rid of the CORS errors.

Same experience for me reading image-file via XMLHttpRequest() or fetch(). I have an EXIF-viewer (xIFr) which only loads images already shown on current page/browser-tab (sometimes images are embedded via [i]frames on page, but issue is not isolated to that setup), and only does it when the extension is activated by user from browser’s contextmenu. Still, only “<all_urls>” seems to work when image is read from another domain…

I prefer not, it is kinda scaring for the user being asked additional permissions.

This post was flagged by the community and is temporarily hidden.

Eventually I resolved by specifying the endpoint URLs that I need to phone in permissions. This was all I needed to make it work, the plug-in is published both for Firefox and Chrome, no CORS errors, all good. :+1: