allow cors - access-control-allow-origin
made by fts18
v1.0

modify request/response headers, bypass cors constraints, strip security configurations, and configure redirect routes locally during web development.

[chrome web store] [github]
core features
detailed guides & operations
1. understanding credentials vs wildcard (*) block

when a fetch request has its credentials mode set to include (e.g. sending cookies or basic auth), the browser throws this error:

Access to fetch at 'api.site.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.

how the extension fixes it: when allow credentials is checked, the background worker determines the origin of your active tab (e.g. https://localhost:3000 or https://my-app.vercel.app) and injects it as the exact response header value for Access-Control-Allow-Origin, bypassing the browser constraint.

2. configuring url redirection maps

you can map remote files, third-party api calls, or tracking scripts to point directly to your local development assets.

how to use:

  • from: use wildcards to catch target assets. example: *analytics.js* or *zoologyfibre.com/watch*
  • to: configure the local web server target. example: http://localhost:3000/mocks/analytics.js

once added, matching requests will be intercepted and served from the target url, preventing production api dependencies from crashing local test suites.

3. auto-disable alarms & security protection
security alert: leaving cors bypass on permanently exposes your browser to cross-site request forgery (csrf) or cross-site scripting (xss) vulnerabilities when browsing general websites (e.g. online banking, emails).

how to use: set the auto-disable dropdown to a desired duration (e.g., 10 or 30 minutes). the background worker schedules a system wakeup tick using the MV3 alarms API. when it triggers, the extension switches off automatically, returning your browser to normal secure behavior.

4. sharedarraybuffer & cross-origin isolation

modern browser APIs (such as multithreading using WebAssembly or shared memory buffers) require the document to be cross-origin isolated.

how the extension fixes it: checking support sharedarraybuffer appends the required headers to the HTML document response:

Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
5. referer & origin header stripping

some servers check request headers and block queries that originate from other hostnames (like localhost).

how the extension fixes it: toggling strip referer/origin headers intercepts request headers dynamically before transmission and drops referer and origin completely, letting you query strict api gateways.

local setup
  1. clone the code repository: git clone https://github.com/FTS18/allow-cors.git
  2. go to chrome://extensions/ in google chrome.
  3. enable developer mode (top right toggle).
  4. click load unpacked and select the extension folder.