[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

CORS Unblock

Version 0.5.2 View in Chrome Web Store

Last scanned: 10 days ago | force re-scan

Extension Details

Rating: 4.1 ★ (176 ratings)

Users: 200,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a substantial user base of 200,000 users and maintains a decent rating of 4.1 stars, suggesting general user satisfaction. However, the lack of visible developer information and company details reduces transparency and accountability. The extension's purpose of unblocking CORS (Cross-Origin Resource Sharing) restrictions is legitimate for web development scenarios.

Concerns:

The combination of permissions creates significant security risks. The debugger permission is particularly concerning as it allows deep system access that could be exploited to manipulate other extensions or browser functionality. The broad host permissions across all URLs mean this extension can potentially intercept, modify, or steal data from any website you visit. While the storage permission alone is relatively benign, combined with the other permissions it could be used to persistently store sensitive intercepted data.

The extension's core functionality of bypassing CORS restrictions, while useful for developers, inherently weakens browser security protections designed to prevent malicious cross-origin requests.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated to development work only. Disable the extension when not actively needed for development tasks. Monitor your browsing activity and be cautious about using it while accessing sensitive websites like banking or personal accounts. If possible, use alternative development tools or local proxy solutions that don't require such broad browser permissions.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "CORS Unblock",
  "icons": {
    "16": "/data/icons/disabled/16.png",
    "32": "/data/icons/disabled/32.png",
    "48": "/data/icons/disabled/48.png",
    "64": "/data/icons/disabled/64.png",
    "128": "/data/icons/disabled/128.png",
    "256": "/data/icons/disabled/256.png",
    "512": "/data/icons/disabled/512.png"
  },
  "action": {},
  "version": "0.5.2",
  "background": {
    "service_worker": "worker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_description__",
  "permissions": [
    "storage",
    "declarativeNetRequest",
    "debugger"
  ],
  "homepage_url": "https://webextension.org/listing/access-control.html",
  "default_locale": "en",
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

CORS Unblock

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (3 total):

Raw Manifest

Detections

Manifest Findings

https://clients2.google.com/service/update2/crx	https://webextension.org/listing/access-control.html
https://webbrowsertools.com/test-cors/