Blog

Browser extensions and CORS: host permissions versus web page rules

Extensions with broad host permissions can call APIs ordinary websites cannot—treat that as privileged code.

Published: 2025-10-06Updated: 2025-10-101 min read

browserextensionssecurity

Different security models

Content scripts share the page origin; background pages may use extension permissions to bypass same-origin for specific hosts.

Malicious extensions can abuse these powers—document why your extension needs each permission.

Managed browsers can block sideloaded extensions; rely on standard CORS for customer-facing integrations.

Audit extension updates with the same rigor as backend deploys.