10

Link to a repo with the Xcode project to test the issue: Test CORS Issue

This extension uses Manifest v3 and I have example.com in host_permissions

"host_permissions": [
        "*://example.com/*"
    ]

When I run fetch("https://example.com") in background.js I get this error:

[Error] Fetch API cannot load https://example.com/ due to access control checks.
[Error] Failed to load resource: Origin safari-web-extension://e0b5d7c7-c079-484b-8825-44d261383cb6 is not allowed by Access-Control-Allow-Origin. Status code: 200 (example.com, line 0)

Tested in both Safari Version 16.0 (17614.1.25.9.10, 17614) and Safari Technology Preview Release 153 (Safari 16.0, WebKit 17615.1.4.1)

In the code I use chrome namespace (to test it in Chrome Browser) but I get the same issue with browser namespace.

If I run this extension without any change in Chrome Browser it works perfectly (chrome://extensions/ → Load Unpacked)

Is there a way to avoid CORS issues without altering server access control settings?

Manifest v2 worked fine in this way.

Update 1:

The workaround for now to use background scripts (deprecated in v3) instead of background service worker.

Instead of this:

"background": {
        "service_worker": "background.js"
    },

Do this:

 "background": {
        "scripts": ["background.js"]
    },

Update 2: How to make your extension work for both Chrome and Safari?

Chrome supports only

"background": {
        "service_worker": "background.js"
    },

Safari supports both service_worker and scripts but when you use service_worker it has this CORS issue.

So the solution is to ship extension with different values in background field.

Nick Kadutskyi
  • 148
  • 8
  • 2
    Looks like it's a bug in Safari. – wOxxOm Sep 14 '22 at 11:40
  • I noticed this as well. Using `service_worker` in Safari, it's broken with CORS, but background scripts still work. We already ship our extension with two different manifest files since Firefox also does not support `service_worker` yet, so we will also have to do the same for Safari. Sad times. – TranquilMarmot Jan 11 '23 at 19:32
  • @NickKadutskyi - you should make an answer out of this to get you some stack points! – AntonOfTheWoods Apr 22 '23 at 08:06

2 Answers2

0

This is now fixed (and here) in 16.4.

From: https://webkit.org/blog/13966/webkit-features-in-safari-16-4/#safari-web-extensions

Fixed CORS issue when doing fetch requests from a background service worker.
AntonOfTheWoods
  • 809
  • 13
  • 17
0

No need for workaround

Fixed in Safari Tech Preview since Nov 5 2022
https://github.com/nick-kadutskyi/safari-ext-cors-issue/issues/1#event-8471562656

Fixed in Safari since 16.4

Old workaround

The workaround for now to use background scripts (deprecated in v3) instead of background service worker.

Instead of this:

"background": {
        "service_worker": "background.js"
    },

Do this:

 "background": {
        "scripts": ["background.js"]
    },

Update 2: How to make your extension work for both Chrome and Safari?

Chrome supports only

"background": {
        "service_worker": "background.js"
    },

Safari supports both service_worker and scripts but when you use service_worker it has this CORS issue.

So the solution is to ship extension with different values in background field.

Nick Kadutskyi
  • 148
  • 8