I've created a Chrome extension that connects to Google Drive for data storage, because storage.sync is unreliable and too small. Chrome has had the
identity API for that for a while. The result is an oauth access_token for a Google service (Drive in this case). WebExtensions has
identity support too (in Nightly at least) and I can produce a Google Drive access_token with it. But then...
My addon can't do any requests to Google Drive, because it doesn't add (valid) CORS headers. Chrome doesn't have a problem with this, probably because it doesn't use CORS in addon code, so it doesn't need Drive to add CORS headers. Firefox apparently does require this.
How do I tell Firefox to 'trust' my addon code, or tell Drive to give me CORS?
I've tried requests with an Authorization header and requests with an access_token query param, and both fail (but slightly differently) for CORS reasons.
I must be missing something stupid, because HTTP requests in an addon seem very common.
Firefox needs an extra global permission for this:
<all_urls>. Chrome has that permission too, but doesn't use it for this purpose. Firefox apparently needs it. With that, no more CORS errors.