I repeated the tests.
- Server: localhost
- Client: localhost, Firefox with unmodified webextension from AMO
It fails with the unmodified code, with the well-known message (console).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/owncloud/index.php/apps/notes/api/v0.2/notes?exclude=content. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).
But if you add the value of the origin value, in my case moz-extension://24e15b45-d986-4db8-a1f8-23917bcd638c, to the list of “white” domains, then it works.
Please find the whireshark protocols at pastebin:
So the question remains: Why is such a request blocked at all?