Hello,
We plan to deprecate and remove the CORB/CORS allowlist in Chrome 87. The allowlist has been introduced in Chrome 73 to help extensions transition to a new security model, where content scripts are no longer able to bypass CORB and (since Chrome 85) CORS. According to
the Chrome dashboard, the Chrome 87 release is tentatively scheduled to ship to the Beta channel around 2020-10-15 and to the Stable channel around 2020-11-17.
The decision to deprecate the allowlist is primarily motivated by the desire to keep Chrome users secure: restricting capabilities exposed to content scripts helps prevent leaking these abilities to malicious webpages that may be hosted in the same renderer process. Additionally the planned
“CORS for content scripts” changes are on track to ship in Chrome 85 and should allow removing many extensions from the allowlist: those that were only allowlisted because their content script requests needed to be approved by CORS (e.g. because Chrome did not send the `Origin` HTTP request header before Chrome 85).
To
see if your extension is affected, test your extension by launching Chrome (version 83.0.4103.50 or later) with the following
command line flags:
--enable-features=OutOfBlinkCors,CorbAllowlistAlsoAppliesToOorCors \
--force-empty-corb-allowlist
If your extension's content scripts make requests that don’t work when Chrome is launched with the command line flags above, then
you need to change your extension to keep it working in Chrome 87 and above. In particular, you might need to
update your extension to initiate cross-origin fetches from the extension background page (instead of from a content script).
It is possible that your extension continues to work fine when Chrome is launched with the command line flags above, even if your extension has been added to the allowlist in the past. This likely indicates that the Chrome 85 changes make it possible to simply remove your extension from the allowlist. In that case, you don’t need to take any action to keep your extension working in Chrome 87 and above.
To learn more about the Chrome 73, 85 and 87 changes to how content scripts interoperate with CORB and CORS please read
the “Changes to Cross-Origin Requests in Chrome Extension Content Scripts” document. In the document you will find more information about the allowlist, as well as guidance on how to transition your extension to the new security model.
Thank you in advance for your help in keeping Chrome's users secure!
Lukasz Anforowicz and the Chrome Security Architecture team