Changes to Cross-Origin Requests in Chrome Extension Content Scripts

[Łukasz Anforowicz]

Hello!

As part of an effort to improve Chrome Extension security, cross-origin fetches will soon be disallowed from content scripts in Chrome Extensions.  Such requests can be made from extension background pages instead, and relayed to content scripts when needed.

The document linked below describes the motivation for the changes and provides details about the transition plan for affected extensions:

Changes to Cross-Origin Requests in Chrome Extension Content Scripts

We have identified that less than 1% of Chrome Web Store extensions with more than 1000 users will be affected, only 18 of which are in the top 1000 extensions.  We will reach out to authors of extensions that we know are affected in a separate email, with more details about required changes.  To ease the transition, we are creating a temporary allowlist for affected extensions that we have identified, giving them a chance to update.  The new restrictions will affect other extensions in Q1 2019 (starting in Chrome Canary 73.0.3666.0).

If your extension performs cross-origin fetches from content scripts and is not included in the temporary allowlist, then it may stop working and cause the following error message:

Cross-Origin Read Blocking (CORB) blocked cross-origin response <URL> with MIME type <type>. See https://www.chromestatus.com/feature/5629709824032768 for more details.

Please see the document linked above for more details on how to update if needed, or how to request a temporary addition to the allowlist.

Thanks in advance for your help in keeping Chrome's users secure!

Lukasz Anforowicz and the Chrome Site Isolation team

[Łukasz Anforowicz]

Hello,

As the changes to cross-origin requests are making their way to the stable channel, I would like to take this opportunity to encourage everyone to periodically test their extension against Chrome Beta - this is the best way to prevent surprises when new versions of Chrome roll to the stable channel.  Estimated release schedule of Chrome can be found here (the changes to cross-origin requests are included in M73 which is tentatively planned to be released to the stable channel around 2019-03-12).

In particular, since the announcement in January, we have learned of some extensions that are affected by the changes to cross-origin requests, but that haven't been detected earlier by Chrome instrumentation.  Thanks to reports from extension authors we have been able to work on adding such extensions to the allowlist.

More details about the changes to cross-origin requests can be found at https://www.chromium.org/Home/chromium-security/extension-content-script-fetches - this includes instructions for how to test if these changes might affect your extension (see the "Determine if Your Extension is Affected" section).

Thanks,

Lukasz

[Łukasz Anforowicz]

Chrome 73 started ramping-up on Chrome Stable channel - this Chrome version includes the changes described in previous posts below.  If an extension stops working in Chrome 73 with an error message mentioning CORB, then you might want to read https://www.chromium.org/Home/chromium-security/extension-content-script-fetches (which includes steps to verify if these changes are indeed responsible + includes information on how to request adding an extension to a temporary "allowlist").

-Lukasz