Access Control-Allow-Origin - Unblock Unblock CORS error while developing or experimenting
Support Development
PayPal ● Credit Card ● 
Bitcoin Address: bc1qr7j5qc3z9l392yltk0fv8zmjn92tx4jjceww02
Lightning Address: [email protected]
Your Input Matters
Review
Advertisements
cors unblock extension
The "Access-Control-Allow-Origin - Unblock" extension removes CORS (Cross-Origin Resource Sharing) restrictions enforced by your browser. It does this by adding two headers to all network requests: it sets the "Access-Control-Allow-Origin" header to "*", allowing requests from any origin, and updates the "Access-Control-Allow-Methods" header to include methods such as "GET", "PUT", "POST", "DELETE", "HEAD", "OPTIONS", and "PATCH". This enables the use of XMLHttpRequest and fetch to access content or JSON data across origins. The extension also offers an option to retain any existing headers. By default, it remains inactive to prevent unintended use. You can enable it on a per-tab basis by clicking the action button; its color indicates the current status. Starting with version 0.5.0, a configuration window opens for each tab, allowing you to customize and save settings by hostname. Don't forget to click the "Start" button when you want to activate CORS unblocking.

Features

FAQs

  1. What is the "Access-Control-Allow-Origin - Unblock" add-on and how can I use it?

    The "Access-Control-Allow-Origin - Unblock" is a browser extension for developers to bypass CORS errors when the (development) server does not explicitly authorize them. By default, if the response to a request does not have the "Access-Control-Allow-Origin" header, the browser will not permit the use of the "XMLHttpRequest" or "fetch" method to access the resource content. When this extension is enabled, it will add the header "Access-Control-Allow-Origin = *" to every network request, allowing you to use these methods without encountering any errors. Without this header, you will receive the following error message:

    Access to XMLHttpRequest at *** from origin *** has been blocked by CORS policy: Method *** is not allowed by Access-Control-Allow-Methods in preflight response.

    This extension is disabled by default and should only be used while developing your code. I do not recommend to keep the extension enabled all the time, as it affects all network requests and appends the above headers to them. These headers let the browser allow scripts to access resources without explicit permission. When the extension is disabled, it does not observe network activities and does not consume any resources.

  2. recommended "2FA (Two Factor Authentication)" extension for Chrome, and Edge browsers.

    2FA (Two-Factor Authentication) is an Aegis-compatible browser extension for managing TOTP and HOTP codes. It stores your tokens in an encrypted Aegis database file on your device instead of browser storage, making it easy to sync across devices with any file-sharing service. The database uses the same strong encryption as Aegis Authenticator and is fully compatible with the Aegis Android app. You can create, edit, organize, and delete tokens, customize their details and icons, and use keyboard shortcuts for faster access. Read more here.

  3. What's new in this version?

    Please check the Logs section.

  4. What does occur when a net request already has the headers "Access-Control-Allow-Origin" or "Access-Control-Allow-Methods" headers?

    It depends on your settings. By default, the extension replaces these headers with the default values. However, you can preserve the original values through the right-click context menu by disabling the overwriting feature when these headers exist. You can choose to disable the overwriting feature for each header individually.

  5. How can I determine if the extension is active (is overwriting headers)?

    When the extension is active, the action button changes its color from gray to orange, and the status is displayed in the tooltip area if you place your mouse over it.

  6. I prefer to have this extension constantly active, but it interferes with certain websites, such as "aliexpress.com". Is there a way to restrict its usage to specific hostnames?

    [Before 0.5.0 release] The extension currently does not have this capability. On Chromium browsers, you can restrict the extension's access to specific hostnames by right-clicking on the action button and selecting the "This can Read and Change Site Data" option. Now limit its access to the necessary hostnames.

    [After 0.5.0 release] The extension now works per tab. Simply enable it for a single tab and load the site inside this tab.

  7. If you need to unblock CPS (content-security-policy) and have control on all the related headers use:

  8. Can the extension emulate successful support for the preflight response if my test server does not support the "OPTIONS" method and my browser returns a "405 (Method Not Allowed)" status code?

    The extension, starting from version 0.3.5, can change the response status codes when an error happens (status codes in the 4xx range), utilizing the debugger protocol. You can turn the feature on and off per browser tab. To activate it, right-click the action button, go to the "Extra Options" menu, and enable the overwrite. Later you can turn it off by closing the debugger banner or pressing the disable button. Since the debugger API controls the overwrites, you need to manually enable it for each tab.

  9. How can I test if the extension works or not?

    Go to the webbrowsertools.com/test-cors web page. First, disable the extension (when the action button is gray). Try the tests. Now enable the extension and run the test once again.

  10. What is the purpose of the "Append Headers to Allow Shared Array Buffer" option and how does it work?

    The "Append Headers to Allow Shared Array Buffer" option enables access to the "SharedArrayBuffer" object even on localhost development. This option appends the necessary headers to let the browser permit the "SharedArrayBuffer" class on the page. To achieve this, the extension adds "Cross-Origin-Opener-Policy = same-origin" and "Cross-Origin-Embedder-Policy = require-corp" headers to the top, and all script requests. These headers cause the browser to permit access to the "SharedArrayBuffer" class. However, one drawback is that the browser will not allow remote resources on the page. The extension also adds "Cross-Origin-Resource-Policy = cross-origin" to all requests to address this issue. By default, this option is disabled. If you need this object during development, you can enable it from the action button's context menu. Here is the meaning of the altered headers:

    • "Cross-Origin-Opener-Policy" (COOP) header: This header indicates the security policy for a document's "opener" browsing context. The value "same-origin" means that the document can only be navigated by or opened by the same origin documents.
    • "Cross-Origin-Embedder-Policy" (COEP) header: This header indicates the security policy for a document's "embedder" browsing context. The value "require-corp" forces the same origin embed requests.
    • "Cross-Origin-Resource-Policy" (CORP) header: This header indicates the security policy for a resource loaded by a document. The value "cross-origin" allows resources from any origin.

  11. How can I limit the network's scope for the current tab so that network manipulations only occur for certain addresses

    The limit network's scope property enables matching URLs based on specific patterns under a designated domain. Patterns are constructed using tokens for flexible matching. Below are examples of some patterns, their matches, and non-matches.

    Pattern Matching Examples

    ScopeMatchesDoes Not Match
    abchttps://abcd.com, https://example.com/abcdhttps://ab.com
    abc*dhttps://abcd.com, https://example.com/abcxyzdhttps://abc.com
    ||a.example.comhttps://a.example.com/, https://b.a.example.com/xyz, https://a.example.companyhttps://example.com/
    |https*https://example.comhttp://example.com, http://https.com
    example*^123|https://example.com/123, http://abc.com/example?123https://example.com/1234, https://abc.com/example0123

    Best Practices for Writing URL Conditions To avoid unintended matches, ensure rules target entire domains precisely. Poorly crafted patterns may lead to unexpected behavior. For example:

    Recommended Patterns

    • Use ||google.com/ to match all paths and subdomains.
    • Use |https://www.google.com/ to match all paths without subdomains.

Advertisements

Preview

Reviews

Please keep reviews clean, avoid improper language, and do not post any personal information. Also, please consider sharing your valuable input on the official store.

What's new in this version

Version--
Published--/--/--		Change Logs:
    Last 10 commits on GitHub
    Hover over a node to see more details

    Need help?

    If you have questions about the extension, or ideas on how to improve it, please post them on the  support site. Don't forget to search through the bug reports first as most likely your question/bug report has already been reported or there is a workaround posted for it.

    Open IssuesIssuesForks

    Permissions are explained

    PermissionDescription
    storageto save user preferences like enable or disable status after browser restart
    <all_urls>to be able to monitor and alter all web requests when the extension is enabled
    webRequestto be able to add network observer
    webRequestBlockingto be able to append custom headers to each web request when enabled
    contextMenusto add options to the right-click context menu item over the toolbar button

    Recent Blog Posts