Background script can't cross-origin request without permission when server returns "Access-Control-Allow-Origin: *"

By design Issue #11075897

Details

Author
Tomohito Y.
Created
Feb 25, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
15.15042
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

When web server returns “Access-Control-Allow-Origin” header with “*” value,
Google Chrome allows Cross-origin request from extension’s background script without permission in manifest.json.

But Microsoft Edge does not allow request without permission.

I think it seems to be undocumented behaviour on Google Chrome. It maybe not Edge’s issue :-)
https://developer.chrome.com/extensions/xhr

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Status to “By design”

    • Hello,

      Thank you for providing this information about the issue. Edge is behaving properly; when the URL is not mentioned as part of the permissions in manifest.json file, the extension’s background script is barred from marking the cross origin requests even though the server returns “Access-Control-Allow-Origin” header with “*” value. Developers are expected to add the URL’s under the permissions in manifest.json for the cross origin requests. Currently, we do not plan to change this feature. Please update this case if you want to provide new information for us to consider.

      Best Wishes,
      The MS Edge Team

    You need to sign in to your Microsoft account to add a comment.

    Sign in