PSA: Changes to behavior when performing a server redirect to a chrome-extension:// page
129 views
Skip to first unread message
Oliver Dunk
Mar 26, 2025, 5:36:30 PM3/26/25
to Chromium Extensions
Hi all,
Starting in Chrome 135, we have begun enforcing `web_accessible_resources` for server-initiated redirects.
Previously, an HTTP server could return a response in the 300-399 range, and if the `Location` header contained a chrome-extension:// URL, Chrome would redirect to that URL. This was the case even for resources that were not marked as web accessible.
For example, if you visited example.com and received the following HTTP response, the redirect would always succeed:
```
HTTP/1.1 301 Moved Permanently
Location: chrome-extension://abcdefghijklmnopqrstuvwxyz/not-web-accessible.html
```
Now, redirects to extension resources are only allowed if resources are declared as web accessible.
We hope this change will help to keep users safe and have minimal impact otherwise. As always, please let us know if you have any feedback or notice any unexpected behavior following these changes.
Thanks,
Oliver on behalf of Chrome Extensions DevRel
Starting in Chrome 135, we have begun enforcing `web_accessible_resources` for server-initiated redirects.
Previously, an HTTP server could return a response in the 300-399 range, and if the `Location` header contained a chrome-extension:// URL, Chrome would redirect to that URL. This was the case even for resources that were not marked as web accessible.
For example, if you visited example.com and received the following HTTP response, the redirect would always succeed:
```
HTTP/1.1 301 Moved Permanently
Location: chrome-extension://abcdefghijklmnopqrstuvwxyz/not-web-accessible.html
```
Now, redirects to extension resources are only allowed if resources are declared as web accessible.
We hope this change will help to keep users safe and have minimal impact otherwise. As always, please let us know if you have any feedback or notice any unexpected behavior following these changes.
Thanks,
Oliver on behalf of Chrome Extensions DevRel
Reply all
Reply to author
Forward
0 new messages