Do I need the extension to use wsdlsoap.com?

No. The site works fully without it for any WSDL exposed with CORS headers. The extension is required only when the WSDL or SOAP endpoint blocks browser requests (corporate intranet, custom auth, self-signed certs, mTLS).

What does the extension do beyond loading the WSDL?

Since v1.1.0 it also relays the SOAP test requests sent from the analyzer's Test modal — including SOAP faults (4xx/5xx), custom headers, Basic Auth and mTLS client certificates.

Does the extension send my WSDLs to a server?

No. The extension's service worker runs locally in your browser and only talks to the target SOAP endpoint you typed. No telemetry, no logging, no third-party servers.

Does it work on Firefox?

Yes — separate Firefox build available on AMO. Same protocol (Manifest V3).

v1.1.0 — Chrome · Edge · Brave · Opera · Firefox

🧩 Soap Reader CORS Proxy Extension

A browser extension that lets wsdlsoap.com load any WSDL and send SOAP test requests without browser CORS restrictions — with Basic Auth, custom headers, and mTLS client certificates. No server-side processing, no telemetry.

⬇ Install for Chrome / Edge 📋 Installation steps 🔌 How it integrates

Why might you need it?

The analyzer at wsdlsoap.com/wsdl-analyzer works fully without the extension for any WSDL whose server returns proper CORS headers. You only need this extension when one of these happens:

The WSDL/endpoint blocks browser requests with a CORS error.
The service requires Basic Auth, custom auth headers (e.g. x-api-key) or an mTLS client certificate.
You want to see SOAP faults (4xx/5xx) with the response body instead of generic network errors.
The service is on a VPN / corporate network reachable only from your machine.

How it compares to other options

The site has four ways to bypass CORS. Pick the one that fits your environment:

Option	Install	WSDL Load	SOAP Test	Basic Auth	mTLS	VPN-only
🧩 This Extension	Web Store	✓	✓ (since v1.1.0)	✓	✓ (ChromeOS)	✓ (your IP)
🔒 Local Proxy (Node/Python)	`node local-proxy.js`	✓	—	manual	—	✓ (your IP)
☁️ Edge Proxy (auto)	None	✓	—	—	—	—
🐵 Tampermonkey Script	Userscript	✓	—	—	—	✓ (your IP)

Recommendation: if you're going to test SOAP operations (not just inspect the WSDL), the extension is the only option that covers both load and test in a single click.

Installation (3 steps)

Install from the store

Click Install for Chrome in the Chrome Web Store (works on Chrome, Edge, Brave, Opera). For Firefox, install from AMO. The whole package is < 125 KB.

Open wsdlsoap.com

The 🧩 Extension panel on the analyzer sidebar will flip to v1.1.0 (green badge). That confirms the page detected the extension.

Configure auth (optional)

Click the extension icon in the toolbar to add a Basic Auth credential, custom headers (e.g. x-api-key), or upload an mTLS .p12 / .pem certificate.

How the integration works

The site and the extension speak through window.postMessage. No global page-script injection, no privileged access — only messages with a specific type pass through.

1 · Page — wsdl-analyzer.html

User clicks Send Request in the Test modal.

▼

2 · Page — endpoint-tester.js

Detects window.__soapReaderExtension and routes through the extension instead of calling fetch() directly.

postMessage({ type: 'SOAPREADER_EXT_FETCH', url, method: 'POST', body, headers })

▼

3 · Extension — content.js (ISOLATED world)

Validates the origin (only wsdlsoap.com and localhost are allowed) and forwards to the service worker.

chrome.runtime.sendMessage({ type: 'fetchWsdl', url, method, body, headers, authConfig })

▼

4 · Extension — background.js (service worker)

Merges stored Basic Auth / custom headers / mTLS. Runs as a privileged context — no CORS restrictions apply.

fetch(url, { method, headers, body })

▼

5 · Target SOAP server

Returns any status — including 4xx/5xx SOAP faults with full body.

▼

6 · Extension — background.js (response)

Wraps the response and returns it to the page.

{ status, statusText, headers, body }

▼

7 · Page — Test results panel

Renders the SOAP response (or fault), copy button, response headers and timing.

The protocol is identical for the initial WSDL load (GET) and for the SOAP test (POST) — only method and body differ. Same security boundary, same origin check.

What the extension enables

🌐

CORS bypass

The browser's CORS layer doesn't apply to extension service workers — every fetch goes through cleanly.

🧪

SOAP test (v1.1.0)

POSTs from the Test modal now flow through the extension, with the full SOAP response visible.

🔑

Basic Auth

Stored credentials applied automatically. Per-request overrides supported.

📋

Custom Headers

Define x-api-key, token, x-tenant-id, etc. once — used in every request.

🔐

mTLS (ChromeOS)

Upload .p12/.pem client cert; Chrome presents it on TLS handshake.

🔍

Smart Auth Detection

Scans WSDLs for WS-Security / UsernameToken markers and surfaces hints.

🔗

DNR CORS Injection

Optional mode that injects Access-Control-Allow-Origin: * for direct fetches.

🤖

AI-ready (WebMCP)

Compatible with AI clients that drive the analyzer via the WebMCP protocol.

Privacy & security

No telemetry. No third-party servers. No data leaves your machine except for the direct fetch to the SOAP endpoint you typed.

The extension only relays messages from wsdlsoap.com and localhost — other sites are silently ignored.
Credentials are stored locally in chrome.storage.local and never sent anywhere except the matching endpoint.
Built on Manifest V3 with minimal permissions: storage, declarativeNetRequest, host access to wsdlsoap.com + <all_urls> for the target SOAP server fetches.

Troubleshooting

The Extension panel keeps showing "NOT INSTALLED" after I installed it

Reload the wsdlsoap.com tab (Ctrl+R). The extension's content script injects window.__soapReaderExtension on page load — open tabs from before the install don't have it. Also confirm the extension is enabled at chrome://extensions.

"SSL certificate error" when loading a WSDL

The target server uses a self-signed or untrusted certificate. Open the WSDL URL directly in a new tab and accept the certificate warning once; future fetches through the extension will succeed. For corporate self-signed CAs, install the CA root in your OS trust store.

SOAP test returns HTTP 405 Method Not Allowed

You may be running an old extension version (≤ 1.0.x) that only supports GET. Update from the Web Store — v1.1.0 added POST/body/headers support for SOAP testing.

Test still returns a CORS error

The extension should bypass CORS automatically. If you still see it, the request probably went through the fallback path (direct fetch / public proxy). Check that the 🧩 Extension panel in the sidebar shows the green v1.1.0 badge before clicking Send.

The Firefox version doesn't work the same way

The Firefox build is feature-identical for CORS bypass / WSDL load / SOAP test. mTLS via chrome.certificateProvider is ChromeOS-only — on Firefox, use the certificate manager in about:preferences#privacy.

How do I uninstall?

At chrome://extensions (or about:addons in Firefox), find "Soap Reader — CORS Proxy" and click Remove. No leftover data outside the extension's local storage.

Prefer not to install anything?

The analyzer still works without the extension. Check the alternatives:

Local Proxy — zero-dependency Node/Python script you run locally. Open the analyzer and find Local Proxy in the sidebar.
Edge Proxy — automatic Cloudflare Worker fallback. No setup, works for public WSDLs.
Tampermonkey script — works on any browser with Tampermonkey installed.