[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

CORS Unblock

Version 0.5.2 View in Chrome Web Store

Last scanned: 8 days ago | force re-scan

Extension Details

Rating: 4.1 ★ (176 ratings)

Users: 100,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a moderate user base of 100,000 users and a decent rating of 4.1/5 from 176 reviews, suggesting some level of community acceptance. However, the lack of clear developer information and company details raises transparency concerns. CORS unblocking is a legitimate development need, but the implementation approach significantly impacts risk.

Concerns:

The debugger permission is particularly concerning as it grants extensive system-level access that goes far beyond what's needed for CORS functionality. This permission allows the extension to inspect, modify, and control other browser processes, creating potential attack vectors. The broad host permissions across all URLs mean the extension can intercept and modify traffic on every website you visit. The combination of these permissions creates a powerful surveillance and manipulation capability that exceeds the stated purpose of simply unblocking CORS requests.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to development work only, isolating it from your personal browsing. Alternative approaches include using browser developer tools' built-in CORS disabling features, local proxy servers, or server-side CORS configuration changes. If you must use this extension, disable it when not actively needed for development, regularly review what websites you visit while it's active, and monitor for any unusual browser behavior. Consider seeking extensions with more limited permissions that achieve the same CORS unblocking functionality through less invasive methods.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "CORS Unblock",
  "icons": {
    "16": "/data/icons/disabled/16.png",
    "32": "/data/icons/disabled/32.png",
    "48": "/data/icons/disabled/48.png",
    "64": "/data/icons/disabled/64.png",
    "128": "/data/icons/disabled/128.png",
    "256": "/data/icons/disabled/256.png",
    "512": "/data/icons/disabled/512.png"
  },
  "action": {},
  "version": "0.5.2",
  "background": {
    "service_worker": "worker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_description__",
  "permissions": [
    "storage",
    "declarativeNetRequest",
    "debugger"
  ],
  "homepage_url": "https://webextension.org/listing/access-control.html",
  "default_locale": "en",
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

CORS Unblock

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (3 total):

Raw Manifest

Detections

Manifest Findings

https://clients2.google.com/service/update2/crx	https://webextension.org/listing/access-control.html
https://webbrowsertools.com/test-cors/