[ new scan ] [ statistics ] [ github ] [ twitter ]

CORS Unblock

Version 0.5.2 View in Chrome Web Store

Last scanned: 21 days ago | force re-scan

Extension Details

Rating: 4.1 ★ (173 ratings)

Users: 100,000

Context-Aware Verdict

HIGH

Risk Level

Trust Factors:

The extension has a moderate user base of 100,000 users and a decent rating of 4.1/5, suggesting some level of community acceptance. However, the lack of clear author and developer information raises transparency concerns. CORS (Cross-Origin Resource Sharing) unblocking is a legitimate development need, but the implementation approach here is concerning.

Concerns:

The combination of debugger permission with broad host access creates a particularly dangerous scenario. The debugger permission allows deep system access that goes far beyond what's needed for CORS manipulation. The <all_urls> host permission means this extension can intercept and modify traffic on every website you visit. The declarativeNetRequest permission, while more secure than webRequest in theory, combined with debugger access, creates potential for sophisticated attacks. The storage permission, while lower risk, allows persistent data collection across sessions.

Recommendations:

Consider running this extension in a completely separate Chrome profile dedicated only to development work, never for general browsing. Before installing, verify if you truly need CORS unblocking - many development servers offer built-in CORS configuration. Look for alternative extensions with more limited permissions or use browser developer tools' built-in CORS disabling features. If you must use this extension, disable it immediately after development sessions and regularly audit what data it might be storing. Consider using local development proxies or server-side CORS configuration as safer alternatives.

Security Analysis

HIGH

Overall Risk

Based on 3 total findings, ranked without considering overall context, including 2 high-risk and 1 medium-risk findings.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "CORS Unblock",
  "icons": {
    "16": "/data/icons/disabled/16.png",
    "32": "/data/icons/disabled/32.png",
    "48": "/data/icons/disabled/48.png",
    "64": "/data/icons/disabled/64.png",
    "128": "/data/icons/disabled/128.png",
    "256": "/data/icons/disabled/256.png",
    "512": "/data/icons/disabled/512.png"
  },
  "action": {},
  "version": "0.5.2",
  "background": {
    "service_worker": "worker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_description__",
  "permissions": [
    "storage",
    "declarativeNetRequest",
    "debugger"
  ],
  "homepage_url": "https://webextension.org/listing/access-control.html",
  "default_locale": "en",
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

CORS Unblock

Extension Details

Context-Aware Verdict

Security Analysis

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (3 total):

Raw Manifest

Secure Annex (beta)

https://clients2.google.com/service/update2/crx	https://webextension.org/listing/access-control.html
https://webbrowsertools.com/test-cors/