Cross-origin request in a content script is blocked by CORB despite the correct CORS headers

Based on the examples in “Changes to Cross-Origin Requests in Chrome Extension Content Scripts”, I replaced all invocations of fetch with a new method fetchResource, that has a similar API, but delegates the fetch call to the background page: // contentScript.js function fetchResource(input, init) { return new Promise((resolve, reject) => { chrome.runtime.sendMessage({input, init}, messageResponse => … Read more

How do I import scripts into a service worker using Chrome extension manifest version 3?

First off, important warnings: Warning: Chrome 92 or older doesn’t show errors occurred in the service worker – it was a bug, fixed in newer Chrome, which now shows the errors in chrome://extensions page. These old versions of Chrome can’t register the background script if an unhandled exception occurs during its compilation (a syntax error … Read more

Chrome Dev Tools – “Size” vs “Content”

“Size” is the number of bytes on the wire, and “content” is the actual size of the resource. A number of things can make them different, including: Being served from cache (small or 0 “size”) Response headers, including cookies (larger “size” than “content”) Redirects or authentication requests gzip compression (smaller “size” than “content”, usually) From … Read more

CORS error on request to localhost dev server from remote site

Original Answer I finally found the answer, in this RFC about CORS-RFC1918 from a Chrome-team member. To sum it up, Chrome has implemented CORS-RFC1918, which prevents public network resources from requesting private-network resources – unless the public-network resource is secure (HTTPS) and the private-network resource provides appropriate (yet-undefined) CORS headers. There’s also a Chrome flag … Read more