modify request/response headers, bypass cors constraints, strip security configurations, and configure redirect routes locally during web development.
when a fetch request has its credentials mode set to include (e.g. sending cookies or basic auth), the browser throws this error:
Access to fetch at 'api.site.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
how the extension fixes it: when allow credentials is checked, the background worker determines the origin of your active tab (e.g. https://localhost:3000 or https://my-app.vercel.app) and injects it as the exact response header value for Access-Control-Allow-Origin, bypassing the browser constraint.
you can map remote files, third-party api calls, or tracking scripts to point directly to your local development assets.
how to use:
*analytics.js* or *zoologyfibre.com/watch*http://localhost:3000/mocks/analytics.jsonce added, matching requests will be intercepted and served from the target url, preventing production api dependencies from crashing local test suites.
how to use: set the auto-disable dropdown to a desired duration (e.g., 10 or 30 minutes). the background worker schedules a system wakeup tick using the MV3 alarms API. when it triggers, the extension switches off automatically, returning your browser to normal secure behavior.
modern browser APIs (such as multithreading using WebAssembly or shared memory buffers) require the document to be cross-origin isolated.
how the extension fixes it: checking support sharedarraybuffer appends the required headers to the HTML document response:
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
some servers check request headers and block queries that originate from other hostnames (like localhost).
how the extension fixes it: toggling strip referer/origin headers intercepts request headers dynamically before transmission and drops referer and origin completely, letting you query strict api gateways.
git clone https://github.com/FTS18/allow-cors.gitchrome://extensions/ in google chrome.extension folder.