WebExtension CORS to Google Drive - FIXED

I’ve created a Chrome extension that connects to Google Drive for data storage, because storage.sync is unreliable and too small. Chrome has had the identity API for that for a while. The result is an oauth access_token for a Google service (Drive in this case). WebExtensions has identity support too (in Nightly at least) and I can produce a Google Drive access_token with it. But then…

My addon can’t do any requests to Google Drive, because it doesn’t add (valid) CORS headers. Chrome doesn’t have a problem with this, probably because it doesn’t use CORS in addon code, so it doesn’t need Drive to add CORS headers. Firefox apparently does require this.

How do I tell Firefox to ‘trust’ my addon code, or tell Drive to give me CORS?

I’ve tried requests with an Authorization header and requests with an access_token query param, and both fail (but slightly differently) for CORS reasons.

I must be missing something stupid, because HTTP requests in an addon seem very common.

FIXED:

Firefox needs an extra global permission for this: <all_urls>. Chrome has that permission too, but doesn’t use it for this purpose. Firefox apparently needs it. With that, no more CORS errors.

I think the support for the identity API in WebExtensions is fairly limited. @andym, do you know if this should work?

identity doesn’t seem to be the problem. It’s not as easy as Chrome’s, but it works. CORS is the problem. After identifying, how do you connect to a service, any service (in this case Drive)?? They all have CORS, and Firefox checks for that. Chrome doesn’t, inside an extension.

Sorry I don’t know. There was an example using the identity API to do the google login dance here: https://github.com/mdn/webextensions-examples/pull/141/files#diff-c4ed996af099c51e2feba0227c1833bbR95 but it didn’t do anything past that.

I saw that one. It does a call to https://www.googleapis.com/oauth2/v3/tokeninfo after auth, with the token in the query. That doesn’t even work for me. Maybe Google changed their CORS policy…

But this should be a problem in many Firefox addons. The addon shouldn’t have to fight past the CORS restrictions. Does it?

There’s this bug about CSP, which is currently open, meaning it hasn’t been addressed yet. Not sure if there’s any overlap with CORS.

I think that’s a different case. The CSP spec also says bookmarklets etc should still work, but those break from CSP headers too. That’s a different kind of disappointment. I’m interested in CORS in Firefox addons. I can’t believe all Firefox addons have to fight through CORS. Chrome extensions don’t…