CORS Unblock

Version 0.5.2 View in Chrome Web Store

Last scanned: 10 days ago | force re-scan

Extension Details

Rating: 4.1 ★ (176 ratings)

Users: 100,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a substantial user base of 100,000 users and maintains a decent rating of 4.1/5 from 176 reviews, suggesting general user satisfaction. However, the lack of visible developer information and company details reduces transparency and accountability. CORS (Cross-Origin Resource Sharing) unblocking is a legitimate development need, which aligns with the extension's stated purpose.

Concerns:

The combination of permissions creates significant security risks. The debugger permission is particularly concerning as it allows deep system access that could be exploited to manipulate other extensions or browser functionality. The broad host permissions across all URLs means this extension can intercept and modify traffic on every website you visit. While the storage permission alone is relatively benign, when combined with the other permissions, it could be used to persistently store sensitive intercepted data. The technical nature of CORS manipulation means this extension operates at a low level that could bypass normal browser security protections.

Recommendations:

Consider running this extension in a separate Chrome profile dedicated solely to development work to isolate potential risks from your main browsing activities. Only enable the extension when actively needed for development purposes, and disable it during regular browsing. Verify the extension's behavior using browser developer tools to ensure it's only modifying CORS headers as intended. Consider alternative solutions like browser flags or local development server configurations that don't require such broad permissions.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "CORS Unblock",
  "icons": {
    "16": "/data/icons/disabled/16.png",
    "32": "/data/icons/disabled/32.png",
    "48": "/data/icons/disabled/48.png",
    "64": "/data/icons/disabled/64.png",
    "128": "/data/icons/disabled/128.png",
    "256": "/data/icons/disabled/256.png",
    "512": "/data/icons/disabled/512.png"
  },
  "action": {},
  "version": "0.5.2",
  "background": {
    "service_worker": "worker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_description__",
  "permissions": [
    "storage",
    "declarativeNetRequest",
    "debugger"
  ],
  "homepage_url": "https://webextension.org/listing/access-control.html",
  "default_locale": "en",
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

CORS Unblock

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (3 total):

Raw Manifest

Detections

Manifest Findings

https://clients2.google.com/service/update2/crx	https://webextension.org/listing/access-control.html
https://webbrowsertools.com/test-cors/