Safari Web Extension background request CORS issues

Hi,
I am trying the new Safari WebExtension on Safari 14 beta on Majove, everything seems smooth so far except one thing:
The ajax request in the background will always fail since it is cross origin.
Here is the error image

This is not an issue on Chrome, and I think it make sense because the Web Extension background page's Origin is always the WebExtension protocol(like "chrome://<uuid>"), and should approve all the request even if the origin mismatch

But in Safari WebExtension it is not allowed. Even if I add the "Access-Control-Allow-Origin: *" header in the server's response header, the background page requests still fails.

The only way I can make it working is to disable the cross origin restrictions in the Develop menu, but that is not a solution for production.

Any advice to resolve this?
Thanks a lot

Accepted Reply

CORS requests are ignored in Safari in the background and pop up pages if the extension has those domains in their manifest permissions. Note that CORS is enforced for content scripts, which matches a change Chrome is also making soon.

Also note, the GUID for Safari web extensions changes every launch of Safari to avoid website fingerprinting.

Replies

Can you send a feedback report via Feedback Assistant with a test extension? Thanks!
Hi @timothy,
I re-tested my extension, actually it is my server issue, after I added the following headers in response

Access-Control-Allow-Origin: safari-web-extension://<guid>
Access-Control-Allow-Headers: <some request header we sent>

Safari background page makes the requests successfully.

However, this is still something extension developers may concerns about, should Safari check the CORS in the extension background page? I feel that the background page is not a normal webpage, extension developers may make API requests to the servers out of their control, if this CORS limit is applied, then a lot of the background requests will fail because of this web-extension protocol Origin

Compared with Chrome and Firefox, these browsers always approve the CORS request even if the origin mismatch.

Just would like to know if Apple have any plan remove this CORS limit in background page.

Thanks a lot

CORS requests are ignored in Safari in the background and pop up pages if the extension has those domains in their manifest permissions. Note that CORS is enforced for content scripts, which matches a change Chrome is also making soon.

Also note, the GUID for Safari web extensions changes every launch of Safari to avoid website fingerprinting.
What I mean, is CORS requests are allowed in the background and pop up pages if the extension has those domains in their manifest permissions.
Thanks a lot @timothy for pointing out all these
Yes, I added the URL to manifest permission (it seems the wild cards url https://*/ has no effect on unblocking CORS), and the CORS request works fine in the background.
Thank you for the help!

Hello luxu, I have been facing with same CORS issue with my web extension. Can you share what URL permission was added to the manifest? This would help me try the same.

Hello luxu, I have been facing with same CORS issue with my web extension. Can you share what URL permission was added to the manifest? This would help me try the same.

luxu/swaminathanv, did you guys ever find working solution? I'm now trying on manifest 3 and trying this approach with host_permissions without success.