Run chrome without cors

Łukasz Anforowiczunread,Jul 20, 2020, 12:02:42 PM7/20/20to Chromium Extensions, Charlie Reis, Simeon Vincent, Devlin CroninHello,To streamline testing, Chrome 85 includes additional options on chrome://flags that can be used to opt into or out of the new behavior. This should help with testing on systems where command line flags cannot be easily specified (e.g. ChromeOS) and with avoiding mistakes spelling the command line flags.To opt into the changes (e.g. to test if your extension is affected), set chrome://flags/#cors-for-content-scripts to “Enabled” and chrome://flags/#force-empty-CORB-and-CORS-allowlist to “Enabled”:When testing an extension, look for the following error messages:or:Access to fetch at ' from origin ' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.To opt out of the changes (e.g. to verify whether a bug goes away in the absence of CORS-for-content-scripts), set chrome://flags/#cors-for-content-scripts to “Disabled”.Best regards,Lukasz Anforowicz and the Chrome Security Architecture teamŁukasz Anforowiczunread,Aug 18, 2020, 11:27:01 AM8/18/20to Chromium Extensions, Łukasz Anforowicz, Charles Reis, Simeon Vincent, Devlin CroninHello,To further reduce disruption amid the ongoing COVID-19 pandemic, we decided to proactively add to the allowlist all the potentially affected extensions that have been detected by Chrome telemetry in earlier Chrome versions. (This excludes extensions where authors have contacted us to indicate that they have migrated to the new security model. We thank those authors for their efforts and help in keeping Chrome users secure.) We still plan to deprecate the CORB/CORS

At 12:02:42 PM UTC-7 Łukasz Anforowicz wrote:Hello,To streamline testing, Chrome 85 includes additional options on chrome://flags that can be used to opt into or out of the new behavior. This should help with testing on systems where command line flags cannot be easily specified (e.g. ChromeOS) and with avoiding mistakes spelling the command line flags.To opt into the changes (e.g. to test if your extension is affected), set chrome://flags/#cors-for-content-scripts to “Enabled” and chrome://flags/#force-empty-CORB-and-CORS-allowlist to “Enabled”:When testing an extension, look for the following error messages:or:Access to fetch at ' from origin ' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.To opt out of the changes (e.g. to verify whether a bug goes away in the absence of CORS-for-content-scripts), set chrome://flags/#cors-for-content-scripts to “Disabled”.Best regards,Lukasz Anforowicz and the Chrome Security Architecture team-- Łukasz Anforowiczunread,Aug 20, 2020, 12:19:47 PM8/20/20to Jackie Han, Chromium Extensions, Charles Reis, Simeon Vincent, Devlin CroninJust thought of a thing, why those break changes or official announcements only post on this forum mixed with lots of other discussions?Two suggestions:setting up a dedicated announcement mailing list.Or email to all extension developers who has a paid CWS account, like the email "[Action Required] Revised Chrome Apps shut down plan"Thank you for the feedback. I'll let Devlin and Simeon answer the suggestion for a separate mailing list for announcements. It seems like a reasonable idea to me.Let

Ongoing COVID-19 pandemic, we decided to proactively add to the allowlist all the potentially affected extensions that have been detected by Chrome telemetry in earlier Chrome versions. (This excludes extensions where authors have contacted us to indicate that they have migrated to the new security model. We thank those authors for their efforts and help in keeping Chrome users secure.) We still plan to deprecate the CORB/CORS allowlist in Chrome 87 and therefore extensions should migrate the new security model as soon as possible.It is possible that some affected extensions have been missed by the Chrome telemetry pipeline. For example, to protect user privacy, only public Chrome Web Store extensions have been reported and the reports were discarded if they came from less than 50 unique clients. If you observe that an extension is broken in Chrome 85 because of CORS or CORB, then please reach out to us by opening a bug - we might be able to help by temporarily adding the extension to the allowlist until Chrome 87. As a reminder, the error messages to watch out for are:Cross-Origin Read Blocking (CORB) blocked cross-origin response with MIME type . See for more details.or:Access to fetch at ' from origin ' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.Best regards,Lukasz Anforowicz and the Chrome Security Architecture teamOn Monday, July 20, 2020

Don't work (despite the permission above), then it seems to be a Chrome bug (separate I think from CORS-for-content-scripts and from Could you please report the bug through and the CORS and/or extensions teams will be able to help further. (Feel free to reply with a bug number here as well.) I am sorry I wasn't able to help further. Best regards,LukaszŁukasz Anforowiczunread,Aug 24, 2020, 8:39:37 AM8/24/20to guest271314, Takashi Toyoshima, Chromium Extensions, Charles Reis, Simeon Vincent, Devlin Cronin, Jackie HanOn Mon, Aug 24, 2020 at 8:34 AM Łukasz Anforowicz luk...@chromium.org> wrote:Does this affect the ability to make cross-origin requests in background scripts?CORS-for-content-script changes (that will soon begin rolling out with Chrome 85 to the Stable channel) should *not* affect the behavior of extension background pages. Only the behavior of content scripts should be affected. Currently it does not appear to be possible to fetch() localhost from a background script, even when --disable-web-security is set and localhost is listed in treat insecure origins as secure. Am working on a project with two paths ( where the capability to fetch() from localhost is the current restriction to further testing.I see that is related to Native Messaging (rather than to XHR/fetch). For example, I don't see the string "localhost" or "127.0.0.1" mentioned in the bug.Kindly illuminate what the official procedure is to make a cross-origin request to localhost using fetch() ( without a network error being thrown.I think that if the extension manifest asks for permission to localhost, then CORS/CORB-bypassing-fetch/XHR to localhost should

Allowlist in Chrome 87 and therefore extensions should migrate the new security model as soon as possible.It is possible that some affected extensions have been missed by the Chrome telemetry pipeline. For example, to protect user privacy, only public Chrome Web Store extensions have been reported and the reports were discarded if they came from less than 50 unique clients. If you observe that an extension is broken in Chrome 85 because of CORS or CORB, then please reach out to us by opening a bug - we might be able to help by temporarily adding the extension to the allowlist until Chrome 87. As a reminder, the error messages to watch out for are:Cross-Origin Read Blocking (CORB) blocked cross-origin response with MIME type . See for more details.or:Access to fetch at ' from origin ' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.Best regards,Lukasz Anforowicz and the Chrome Security Architecture teamJackie Hanunread,Aug 20, 2020, 12:11:38 PM8/20/20to Łukasz Anforowicz, Chromium Extensions, Charles Reis, Simeon Vincent, Devlin CroninJust thought of a thing, why those break changes or official announcements only post on this forum mixed with lots of other discussions?Two suggestions:setting up a dedicated announcement mailing list.Or email to all extension developers who has a paid CWS account, like the email "[Action Required] Revised Chrome Apps shut down plan"Hello,To further reduce disruption amid the