Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Origin header not being sent from service worker when Site Access is set to "On click"

131 views
Skip to first unread message

Kenny Sutherland

unread,
Oct 14, 2024, 3:08:54 AM10/14/24
to Chromium Extensions
When I set my Chrome extension's Site access from "On all sites" to "On click", I get a CORS error for requests originating from my service worker:

Access to XMLHttpRequest at 'https://example.com/target/path' from origin 'chrome-extension://<extension-id>' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

The above error was due to my server returning status 307 – redirecting to the WWW domain for the URL. Now after making the request to https://www.example.com/target/path instead, I discovered that Chrome is not setting the origin header on the requests from the service worker, "request.headers.origin" shows up in my backend as undefined, yet I'm getting CORS error: No 'Access-Control-Allow-Origin' header is present on the requested resource in service worker console.

Am I supposed to wildcard (*) allow all requests that don't have an origin specified? Because whitelisting the extension origin does nothing in this case.

I never had any of these issues when Site access was set to "On all sites".

Patrick Kettner

unread,
Oct 14, 2024, 12:53:27 PM10/14/24
to Kenny Sutherland, Chromium Extensions
That would be expected. Since you the user has not granted access to the domain, standard web CORS rules apply. Rather than "<all_urls>" a better option would be for the extension to request the specific host_permission that it needs access to in order to work.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/4798a4d0-b2a2-4760-be6c-790659fc076dn%40chromium.org.

Kenny Sutherland

unread,
Oct 14, 2024, 3:51:29 PM10/14/24
to Chromium Extensions, Patrick Kettner, Chromium Extensions, Kenny Sutherland
Yes, I did specify "https://*.example.com/*" as the only host permission and the origin header was still not sent to the server.

Patrick Kettner

unread,
Oct 14, 2024, 4:13:49 PM10/14/24
to Kenny Sutherland, Chromium Extensions
Yes, but you removed the effect of that by changing the site access to "On click". You can't skip the CORS checks unless the user has granted the permission to the domain.

Kenny Sutherland

unread,
Oct 14, 2024, 10:58:38 PM10/14/24
to Chromium Extensions, Patrick Kettner, Chromium Extensions, Kenny Sutherland
Okay, thank you for clarifying that. I thought just adding the target host would suffice. How would the user grant permission?
Reply all
Reply to author
Forward
0 new messages