CORS Unlocker icon CORS Unlocker
Integration FAQ Privacy

Frequently Asked Questions

Find answers to common questions about CORS Unlocker extension and npm package. Get quick solutions for cross-origin request management and technical support.

How It Works

🔧 How does the CORS Unlocker extension work?

CORS Unlocker simplifies cross-origin request management by intelligently modifying HTTP headers:

🌐 Enable Data Loading Adds Access-Control-Allow-Origin headers to server responses, allowing your web application to fetch data from external APIs that would normally block cross-origin requests.

🔐 Support Authentication When Site Auth is enabled, allows credentialed requests to include cookies and authentication headers for accessing protected resources.

Configuration & Usage

🔑 What is Site Auth and when should I use it?
⚠️ Important Security Note

Site Auth allows sharing authentication data (cookies, tokens) with cross-origin requests. Only enable for trusted websites.

Enable Site Auth when:

  • Accessing authenticated APIs
  • Working with user-specific data
  • Developing with login-protected services
  • Testing member-only features

Disable Site Auth when:

  • Working with public APIs
  • Testing on untrusted websites
  • Prioritizing privacy protection
  • Using anonymous data sources

Known Limitations

⚠️ What are the technical limitations of this extension?
Manifest V3 Limitations

Due to browser security restrictions, some CORS scenarios cannot be resolved by extensions.

🚫 Preflight Request Failures

If the target server doesn’t support OPTIONS requests or returns non-success responses for preflight requests, complex CORS requests will still fail. This affects:

  • Requests with custom headers (not simple headers)
  • Non-simple HTTP methods (PUT, DELETE, PATCH, etc.)
  • Requests with certain content types (application/json with custom headers)

💡 Workaround: Contact the API provider to properly implement CORS preflight support.

🖼️ iframe and Embedded Content Issues

The extension only works for the main page origin. If your request originates from:

  • iframe elements
  • Embedded widgets
  • Web workers in different origins

You must enable CORS for the iframe’s origin, not the parent page’s origin.

💡 Solution: Use the extension popup while on the iframe’s actual domain, or configure CORS for the correct origin.

Troubleshooting

🐛 Why isn’t the extension working?

1️⃣ Extension Status Verify the extension is installed and enabled. Look for the CORS Unlocker icon in your browser toolbar.

2️⃣ Protocol Support Only HTTP/HTTPS websites are supported. Local files (file://) and other protocols won’t work.

3️⃣ Origin Matching Ensure you’ve enabled the extension for the correct origin. Each domain needs separate activation.

4️⃣ Extension Conflicts Other security extensions or ad blockers might interfere. Try disabling them temporarily to test.

Security & Integration

🛡️ Is the npm package integration secure?

User Control

When websites request CORS access through our npm package, you are always prompted to approve or deny the request. You maintain complete control over which sites can access cross-origin resources.

🔧 Management Features:

  • Real-time permission prompts for new requests
  • Granular control per website/domain
  • Easy permission revocation in extension options
  • Complete audit trail of active permissions
🔒 How do you handle privacy and data protection?

We prioritize your privacy with a zero-data-collection policy. All settings are stored locally on your device, and no information is ever transmitted to external servers.

Learn more: Read our complete Privacy Policy for detailed information about data handling and security measures.

Getting Help

💬 Still need help? Can’t find what you’re looking for? We’re here to help!

Get Support

📝 Report an Issue 📚 View Documentation

💖 Love CORS Unlocker? Help us keep it free and open source for everyone!

Support Our Work

Your support helps us continue developing and maintaining this tool

Buy us a coffee