Chrome extension Manifest V3: host_permissions, CORS for cross-origin fetches, and service worker limitations

Isolated worlds do not share page cookies—CORS on the page and extension contexts can diverge confusingly.

Message passing to background workers should serialize minimal data to avoid leaking tokens across origins.

Chrome Web Store review may flag broad `<all_urls>`—justify CORS-related needs in your privacy policy.

Enterprise policy updates can revoke permissions—monitor CORS regressions for managed browsers.