CORS Unblock

Version 0.5.2 View in Chrome Web Store

Last scanned: about 1 month ago | force re-scan

Extension Details

Rating: 4.1 ★ (176 ratings)

Users: 200,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has a substantial user base of 200,000 users and maintains a decent 4.1-star rating from 176 reviews, suggesting general user satisfaction. However, the lack of visible developer information and company details raises transparency concerns. CORS (Cross-Origin Resource Sharing) unblocking is a legitimate developer tool need, which provides some context for the broad permissions.

Concerns:

The combination of debugger permission with all_urls host access creates a particularly potent security risk profile. The debugger permission allows deep system access that could be exploited to manipulate other extensions or browser functionality. The broad host permissions enable the extension to intercept and modify network requests across all websites, creating opportunities for data theft or malicious injection. While storage permission is relatively benign, it allows persistent data collection. The technical nature of CORS manipulation means this extension operates at a low level that could bypass normal browser security mechanisms.

Recommendations:

Consider running this extension in a dedicated Chrome profile isolated from personal browsing and sensitive accounts. Only enable it when actively needed for development work, then disable it immediately after use. Regularly review the extension's network activity and consider alternative CORS solutions like local development servers with proper CORS headers. Monitor for any unusual browser behavior when the extension is active, and keep it updated to the latest version.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "CORS Unblock",
  "icons": {
    "16": "/data/icons/disabled/16.png",
    "32": "/data/icons/disabled/32.png",
    "48": "/data/icons/disabled/48.png",
    "64": "/data/icons/disabled/64.png",
    "128": "/data/icons/disabled/128.png",
    "256": "/data/icons/disabled/256.png",
    "512": "/data/icons/disabled/512.png"
  },
  "action": {},
  "version": "0.5.2",
  "background": {
    "service_worker": "worker.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "__MSG_description__",
  "permissions": [
    "storage",
    "declarativeNetRequest",
    "debugger"
  ],
  "homepage_url": "https://webextension.org/listing/access-control.html",
  "default_locale": "en",
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

CORS Unblock

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (3 total):

Raw Manifest

Detections

Manifest Findings

https://clients2.google.com/service/update2/crx	https://webextension.org/listing/access-control.html
https://webbrowsertools.com/test-cors/