As I learned from https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/manifest.json/permissions#Host_permissions to make unrestricted cors request it should be enough to have host permissions, so my manifest looks like:
"permissions": [
"activeTab",
"proxy",
"<all_urls>"
],
I also tried to play with manifest's key about csp:
"content_security_policy": "default-src 'self' 'unsafe-inline'; script-src 'self'; object-src 'self'"
But it did not help
but when I try to make xhr I still see in console:
Content Security Policy: The page’s settings blocked the loading of a resource at https://jsonplaceholder.typicode.com/posts/1 (“default-src”) (with csp settings above; with default csp I don't even see attempt to request)
document.addEventListener("click", (e) => {
function sendCredentials() {
var payload = JSON.stringify({
'login': document.login.value,
'password': document.password.value
});
let xhr = new XMLHttpRequest();
xhr.onreadystatechange = function () {
if (xhr.readyState == XMLHttpRequest.DONE) {
browser.runtime.sendMessage({
"type": "save_token",
"session_token": 'dummy_token'
});
}
}
xhr.open("GET", "https://jsonplaceholder.typicode.com/posts/1", true);
xhr.send();
if (e.target.id == 'submit') {
sendCredentials();
}
}
I expect that after setting host permissions in manifest.json to I'll be able to request any url
I am guessing the code is injected into a page. Is that correct?
host permission applies to requests made from the extension. Once you inject the code into a page, then it gets its permission from the page and CORS are normally blocked.
You can pass it back to the extension to make the request and then pass it back to the page using messaging API.
It seems Firefox is stating "we are blocking all third-party storage access requests and content blocking is enabled." Blocked: All third-party storage access requests
You can try doing it from a background script or page. It works fine from an option page for example.