CORS policy blocks script access in development #971
Comments
aqiongbei
changed the title
|
managed to resolve by adding |
now, we have another issue. |
|
i just encounter this same issue about websocket and take a lot time to find the reason. luckily, i found it. because of the update of vite. they add following this link so the resolution is adding the legacy option to your vite config to close token verifying, then the problem solved. |
|
@liuwilliamBUPT you resolve my problem, thx you bro. You're really amazing! legacy: {
skipWebSocketTokenCheck: true,
} |
|
Amazing work @liuwilliamBUPT and @aqiongbei I'm going to reopen this because this is a significant breaking change in Vite that's affecting Chrome Extension development workflows. If you've updated Vite recently and your extension development suddenly stopped working, this is why. What's HappeningStarting with these Vite versions:
Vite changed default CORS policies in the dev server, which breaks CRXJS's development workflow. While this was done for security reasons, it's causing real issues for extension developers. Quick FixIf you need to get back to work immediately, you can add this to your vite.config.js: export default defineConfig({
// ... existing config
legacy: {
skipWebSocketTokenCheck: true
}
})Long-term SolutionCRXJS should update to properly handle Vite's new WebSocket security requirements. Something like this might work: // vite.config.js
export default defineConfig({
server: {
cors: {
origin: [
'chrome-extension://', // Allow all extensions in dev
// Or for production, specific extension IDs:
// 'chrome-extension://<your-extension-id>'
]
}
}
})Related Links
Would appreciate feedback from extension developers on these solutions, particularly if you're working with different Chrome extension configurations. |
jacksteamdev
changed the title
|
Sorry for the breakage. For the websocket connection, passing the token here would probably work: In other words, it can probably be fixed by updating this line to new WebSocket(`${socketProtocol}://${socketHost}?token=${token}`, 'vite-hmr'). You can get the token from config.webSocketToken in the configResolved hook.Ideally, it should not connect to the WebSocket server on its own and instead use import.meta.hot. I assume it's related to that fact that ESM support in extensions are not good. Is that the reason why it's connecting on its own?
For |
|
I have the same problem, even after adding the following to the vite.config.ts It seems that just when I add the "host_permissions": ["<all_urls>"] to the manifest the problem is solved. But obviously, I don't want to ask for this kind of permission. Asking for permissions to all websites get Google to take ages when reviewing every update + it can show a warning to users. Is there another way to solve this for now? |
|
@nechmads I believe it is possible to generate the manifest.json dynamically, where it is possible to configure this permission only when the environment is development, and then not add this line in the manifest.json of the build (production). I saw this in some code where the extension generated the manifest dynamically depending on the target browser and the environment. Including the background permission itself is an example, you may not need it in production. And here we are dealing with a problem when connecting to the Vite server to hot reload the extension while we are developing, it is not necessary in production because everything will be in the .js files. |
|
@aqiongbei Use npm init vite@^3.0 crxjs's website says it only supports vite 2 and 3 (3 is beta) |
|
I kept getting CORS error until I added this in defineConfig of vite.config.js file server: {
cors: {
origin: '*'
}
}, |
|
Wasted a few hours trying to fix this issue today "Error during WebSocket handshake: Unexpected response code: 400"
|
Let us know when the long-term solution is available |
If you are using a If you are using a |
This is an automated message. Please do not reply to this comment. |
Can I just say, Thank you Vite Core maintainer @sapphi-red for responding here and pointing maintainers in the right direction... I see little to no response to this very valuable comment... |
thanks this saved my time |
|
@jacksteamdev it seems like your response above assumes there is only 1 issue, but I believe are 2 issues which would both need to be handled separately.
There are also some suggestions in this thread to add "localhost:5173" to manifest.json, but I don't see why that would be necessary. I don't think we need any updates for a prod build, and the dev fixes can be handled in vite.config.ts. Is this all correct? I just wanted to make sure I'm understanding properly and that the scope of the issue is well defined. Note that I needed to use the regex version of your suggested origin ( For others looking for a short term solution, this is what worked for me
Here's what I added in my vite config. server: {
cors: {
origin: [
// ⚠️ SECURITY RISK: Allows any chrome-extension to access the vite server ⚠️
// See https://github.com/crxjs/chrome-extension-tools/issues/971 for more info
// I don't believe that the linked issue mentions a potential solution
/chrome-extension:\/\//,
],
},
},
legacy: {
// ⚠️ SECURITY RISK: Allows WebSockets to connect to the vite server without a token check ⚠️
// See https://github.com/crxjs/chrome-extension-tools/issues/971 for more info
// The linked issue gives a potential fix that @crxjs/vite-plugin could implement
skipWebSocketTokenCheck: true,
}, |
|
@martinbutt do you know why it would be necessary to update manifest.json? |
|
During development only, vite.js opens a websocket to Browser extensions require a list of all of the places they can open a network connection to in the So for the websocket to work when using vite.js to develop browser extensions, it needs to have If you do this, you don't need to make any other changes. |
|
@martinbutt correct me if I'm wrong, but this will only allow the extension to make a connection to the vite server. That doesn't necessarily mean that the vite server will accept that connection? I tested making this change in manifest.json with no changes in vite config, and it didn't resolve the issue. Like I said in my comment, I was able to "fix" the issue by editing the vite config file, nothing else. Which version of vite are you on? The versions that do not require a change to your vite config are Maybe you are on one of these? |
Build tool
Vite
Where do you see the problem?
Describe the bug
i create a react crx demo according to this guide Get Started with React, when i run
pnpm dev, i found this error info in chrome extension inspect page(chrome://extensions/?errors=gbfkgllkhphjnpfpgfgmpahkbekgeenh)the service-worker-loader.js's content is
my chrome version is 131.0.6778.265 (arm64)
Reproduction
do according to Get Started with React.
Logs
System Info
System: OS: macOS 12.7.6 CPU: (8) arm64 Apple M1 Pro Memory: 121.64 MB / 16.00 GB Shell: 5.8.1 - /bin/zsh npmPackages: @crxjs/vite-plugin: 2.0.0-beta.30 => 2.0.0-beta.30 @eslint/js: ^9.17.0 => 9.18.0 @types/react: ^18.3.18 => 18.3.18 @types/react-dom: ^18.3.5 => 18.3.5 @vitejs/plugin-react: ^4.3.4 => 4.3.4 eslint: ^9.17.0 => 9.18.0 eslint-plugin-react-hooks: ^5.0.0 => 5.1.0 eslint-plugin-react-refresh: ^0.4.16 => 0.4.18 globals: ^15.14.0 => 15.14.0 react: ^18.3.1 => 18.3.1 react-dom: ^18.3.1 => 18.3.1 typescript: ~5.6.2 => 5.6.3 typescript-eslint: ^8.18.2 => 8.20.0 vite: ^6.0.5 => 6.0.9Severity
annoyance
The text was updated successfully, but these errors were encountered: