[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

CORS Unblock

Version 0.5.2 View in Chrome Web Store

Last scanned: 7 days ago | force re-scan

Extension Details

Rating: 4.1 ★ (176 ratings)

Users: 200,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a substantial user base of 200,000 users and maintains a decent rating of 4.1 stars from 176 reviews, suggesting general user satisfaction. However, the lack of clear developer information and company details raises transparency concerns. CORS unblocking is a legitimate development need, but the implementation approach significantly impacts security risk.

Concerns:

The combination of debugger permission with broad host access creates a particularly dangerous scenario. The debugger permission allows deep system access that could be exploited to manipulate other extensions or browser functionality. The all_urls host permission means this extension can intercept and modify traffic on every website you visit. While CORS unblocking requires some network manipulation, the debugger permission seems excessive for this functionality. The storage permission, though lower risk, adds another data collection vector.

Recommendations:

Consider running this extension in a dedicated Chrome profile used only for development work, never for personal browsing or sensitive activities. Only enable it when actively needed for development tasks, then disable immediately after. Alternative approaches include using browser developer tools' built-in CORS disabling features or local development servers with proper CORS configuration. If you must use this extension, regularly audit what data it might be storing and monitor your browsing sessions for unusual behavior.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "CORS Unblock",
  "icons": {
    "16": "/data/icons/disabled/16.png",
    "32": "/data/icons/disabled/32.png",
    "48": "/data/icons/disabled/48.png",
    "64": "/data/icons/disabled/64.png",
    "128": "/data/icons/disabled/128.png",
    "256": "/data/icons/disabled/256.png",
    "512": "/data/icons/disabled/512.png"
  },
  "action": {},
  "version": "0.5.2",
  "background": {
    "service_worker": "worker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_description__",
  "permissions": [
    "storage",
    "declarativeNetRequest",
    "debugger"
  ],
  "homepage_url": "https://webextension.org/listing/access-control.html",
  "default_locale": "en",
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

CORS Unblock

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (3 total):

Raw Manifest

Detections

Manifest Findings

https://clients2.google.com/service/update2/crx	https://webextension.org/listing/access-control.html
https://webbrowsertools.com/test-cors/