Whitelist a CORS policy for a browser extension?

Question

I have a browser extension which POSTs to a server. I want to whitelist the extension's origin in my server. For instance, requests for the Chrome extension originate from a location like: chrome-extension://fjhbdidbplpijoncnlfoadfadfasdf and from Firefox like: moz-extension://cadf4351-e4f3-ca4d-b974-812309843dafd

I realize that I can whitelist those particular addresses on my server, but I'm not sure if they're static addresses. Do these randomly generated locations ever change, like if I ever submit an update? Is there anyway to set them permanently?

Answer 1

Do those change?

Situation differs for Chrome and Firefox.

Chrome

For released extensions that are on the Web Store, the ID is fixed. You can rely on it.

For unpacked extensions in development, the ID is determined either by the "key" value in the manifest, if present, or the absolute path to the extension folder. So it may change if you move the extension about. But you can "pin" it by providing a valid "key".

Firefox

What you see in Mozilla is an installation-specific origin. No matter what the extension's ID is, the UUID you see here will differ on each extension install (but should persist through updates).

There's some discussion of the mechanism in this bug.

Essentially, this is an anti-extension-blocking technique.

This means you can't whitelist just one origin and be done with it, unfortunately.

Is it a good idea to rely on this?

Probably not. While browsers tend to report Origin faithfully, other tools capable of generating requests don't follow that. So it would be relatively easy to spoof.