1 comment

[ 3.6 ms ] story [ 11.0 ms ] thread
tl;dr:

  - chrome hides OPTIONS requests in dev tools
  - chrome disallows cross-origin requests to extensions permission urls [1]
[1] https://www.chromium.org/Home/chromium-security/extension-co...

"extension content scripts have traditionally been able to fetch cross-origin data from any origins listed in their extension's permissions, regardless of the origin that the content script is running within. As part of a broader Extension Manifest V3 effort to improve extension security, privacy, and performance, these cross-origin requests in content scripts will soon be disallowed."