CORS Pilot

The reliable CORS bypass for web developers. Whitelist-first, tab-scoped, credentials-aware. Works on localhost.

CORS Pilot fixes the broken CORS workflow during local web development - the way the existing extensions should have. WHY THIS EXISTS --------------- If you've ever installed "Allow CORS: Access-Control-Allow-Origin" and found it didn't actually work on localhost:3000, broke other sites, or left you wondering whether it was doing anything at all - you're not alone. That extension has 800k+ users and years of 1-star reviews saying exactly those things, and it hasn't been updated in a long time. CORS Pilot is built to address every one of those complaints with real fixes, not marketing: WHITELIST-FIRST BY DEFAULT -------------------------- The default scope is a whitelist containing `localhost` and `127.0.0.1`. No global rewriting unless you ask for it. You'll never accidentally break your bank or email by leaving the extension on. TAB-SCOPED ACTIVATION --------------------- For one-off debugging, enable CORS rewriting for just the current tab. Comes with a 30-minute auto-off so you don't forget. Scoped via `declarativeNetRequest.condition.tabIds` so it literally can't leak to other tabs. CREDENTIALS MODE ---------------- Flip one toggle to install per-origin dynamic rules that echo back `Access-Control-Allow-Origin` with the specific origin + `Access-Control-Allow-Credentials: true`. Authenticated APIs (cookies, JWT) now work without hacks. VISIBILITY - YOU NEVER DEBUG BLIND ---------------------------------- A toolbar badge always shows the current state: `OFF` / `WL` / `TAB` / `ALL` / `CRD`. A DevTools panel shows live a log of every response the extension modified, what rule matched, and any failing preflights. SAFETY NET - 199 SENSITIVE DOMAINS ARE NEVER TOUCHED ---------------------------------------------------- Hard-coded blocklist of banks, government portals, auth providers, payment processors, and healthcare services. Even in global mode, these domains are never rewritten. The full list is public in our source. BUILT FOR 2026, NOT 2018 ------------------------ Manifest V3 from day one. `declarativeNetRequest` for rule-based rewriting (not deprecated `webRequestBlocking`). Service worker based. Ready for Chrome's ongoing MV3 enforcement. PRIVACY ------- Zero data collection. No analytics. No telemetry. No server. Everything is local. See the privacy policy for the detailed breakdown. OPEN SOURCE ----------- MIT licensed. Audit the code yourself at [GitHub URL to fill]. VERIFY IT WORKS --------------- Open the popup → "Self-test" to run a differential A/B test (extension off → on) against real CORS-blocked endpoints. You'll see with your own eyes that the rewriting actually happens, not just a "running" indicator. WHO THIS IS FOR --------------- - Frontend developers fighting CORS on localhost - API engineers testing authenticated endpoints from other origins - Anyone who has wasted an afternoon debugging "why doesn't CORS Pilot work" when it was actually their API 404'ing on OPTIONS (we'll warn you about that too) WHO THIS IS NOT FOR ------------------- - End users who want to "bypass CORS" on arbitrary sites for non-development use cases. CORS exists to protect users; this extension is scoped for developers who know when to turn it on and off. - Anyone expecting secretly collected analytics. We don't do that. SUPPORT ------- - Open an issue on GitHub - Read the self-test and DevTools panel outputs first - they often surface the actual problem (e.g., server 404s on OPTIONS, strict CSP blocking the request, etc.)