We think that the ability for extensions to tamper with security-critical headers such as CORS, CSP, X-Frame-Options must not be granted by default to extensions because they have requested the webRequest and webRequestBlocking permissions (Such a policy is enforced on headers related to cache as they are not modifiable). 
Alternatively, we suggest that security-critical headers be part of permissions system. In other words, extensions would have to request dedicated permissions in order to be able to tamper with CORS headers. For instance, to tamper with the Access-Control-Allow-Origin header, an extension would explicitly declare it in its set of permissions. This way, vendors could even notify a user about the fact that an extension being installed is potentially going to tamper with security headers.

Tried testing issue on reported chrome version #70.0.3538.67 using Ubuntu 17.10 by following below steps.

Steps:
=====
1.Launched chrome and installed extension "https://chrome.google.com/webstore/detail/corser/elgclnafddmkhhnhlfgfahgbahkginga".
2.Navigated to "https://fiddle.sencha.com/#fiddle/kvu&view/editor".
3.Opened devtools -> Console.
4.Clicked on "Submit CORS" button.
5.In console entered "cross-origin" and observed an error "Uncaught ReferenceError: cross is not defined".

Attached screencast for reference.
@reporter: Could you please review attached screencast and let us know if anything is being missed from our end.  If possible request you a sample file/URL and screenshot/screencast of the issue.
Thanks.!

Deleted: 897101.webm 1.3 MB

	897101.webm 1.3 MB View Download

There are 4 mistakes in your demo that makes it to fail (See detailed explanation in the attached file)


What you can do instead is the following. 
Replace http://updates.html5rocks.com with https://developers.google.com/web/updates/ 

Therefore, you will making an HTTPS AJAX request from an HTTPS webpage.
Moreover, http://updates.html5rocks.com redirects to https://developers.google.com/web/updates/  so you will get what you are looking for

Please consider trying my JS file instead. It gives you more control over AJAX requests. 

Deleted: chromium.js 2.6 KB

chromium.js 2.6 KB View Download

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Thanks for the feedback...

As per attached file chromium.js in the comment #4, it is not possible to test the issue with .js file from test team. Hence requesting you to provide a sample URL/ html test file, so that we can investigate the issue further.

Thanks.!

Here is a link to test the extension - https://jsfiddle.net/ekj0xq1h/7/ 

Please install the extension, enter the URL to fetch, and hit "Submit". The response to the request is displayed in the textarea 

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Thanks for the feedback...

As per comment #7, retried the issue on reported chrome 70.0.3538.67 and latest chrome 70.0.3538.77 using ubuntu 14.04. Attaching screenshot for reference.
Steps:
-----
1. Launched chrome 
2. Installed the extension
3. Navigated to given URL https://jsfiddle.net/ekj0xq1h/7/  and clicked on "Submit
As we have observed response on the textarea 

@Reporter: Could you please check the attached screenshot and please let us know if anything missed from our end.

Thanks..!

Deleted: 897101.png 267 KB

	897101.png 267 KB View Download

It's all good :-)

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

Thanks for the feedback...

@Reporter: Could you please upgrade to latest chrome stable 70.0.3538.102, you can download latest chrome builds here:" https://www.chromium.org/getting-involved/dev-channel ". Let us know whether issue still persists. If not seen can you please confirm that we can close the issue from our end.

I upgraded Chrome to version 70.0.3538.102 as you can see from my new User-agent "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36" 

The issue is still there. Do you mind explaining how you tried to fix the issue ?

Thank you for providing more feedback. Adding the requester to the cc list.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

As per comment #7, comment #9 and comment#10, Able to reproduce the issue on reported chrome version 70.0.3538.67 and latest stable 70.0.3538.102 also on latest chrome 72.0.3608.0 using Mac 10.14.0, Ubuntu 17.10 and Windows 10.  

Same behavior is seen on M60(60.0.3112.113) hence considering it as non-regression and marking it as Untriaged.

Thanks!

I have also thought about this and it seems to me that introducing another permission might make sense if we have seen this capability being used maliciously. It would aid in static analysis of the extension package. That said, I don't think permissions like these can be shown as part of permission messages to the user.

cc'ing some folks who might have thoughts about this.

Thank you for providing feedback ! Such permissions would definitely help during review process. For the average user, showing such permissions would not make any sense, but for someone who can understand, I think it's worth it !

Anyway, let's see what the folks think about that.

Might be useful to add usage stats to determine how common this is .

A few extensions I found manipulating CORS headers can be found in the file attached !

Deleted: chrome.js 17.8 KB

chrome.js 17.8 KB View Download