[sigmoid10]

Chrome exposes these files via a URL that you can fetch in javascript like you would any other file on a normal website. These local extension files usually contain code, styles or images that your browser needs to run the extensions.

[pbhjpbhj]

Why is it not a CORS violation?

The browser needing access and a random website having access are quite different. Seems like a big ol' pile of vulns waiting to happen.

[sigmoid10]

CORS is a server setting to tell the browser not to load its data from potentially unsafe origins. If you set a server to send access-control-allow-origin: *, then your browser will happily load these resources for you regardless of where you currently are. And chrome extensions need to be loadable from everywhere to be able to inject code or images into pages, so enabling CORS for them would defeat their main purpose. The extensions themselves might even need to bypass an existing CORS setup for the website you are currently on to fetch additional data.

[pbhjpbhj]

From the other end, yes extensions access all page data, but pages shouldn't access extension data at all; it feels like that should be the CORS violation.

[sigmoid10]

You have it backwards. For an extension to work on a page, it's data/code needs to be accessible from said page. If your extension server in chrome enforced CORS to prevent access from tabs on other websites, extensions wouldn't work anywhere.