(In reply to dessant from comment #2)
Disallowing the modification of Access-Control-Allow-* response headers will impact extensions that need to download page content.
We'd like to disallow by default, to increase the security baseline of add-ons. Currently, any add-on with the webRequestBlocking permission can potentially downgrade security headers, even though most add-ons don't need such functionality. We want to restrict first, and consider the reintroduction of the functionality in a follow-up - bug 1787155.
Search by Image sets CORS headers for some images in order to download them from the content script before uploading to a search engine. In many cases an asset will only be served if the request contains the correct origin, referrer and cookies. Reproducing such a fetch request was impossible from a background page last time I tested, and even if configuring all aspects of a request becomes possible, it could still open up extensions to security issues, because it's difficult to figure out if certain data types would be sent by the browser if the request would be made from the page context, such as the referrer. We would also need to request additional permissions, such as access to HTTP cookies.
We'd prefer to offer a dedicated API to fetch data with the right request context. Bug 1670278 tracks the development of that feature (it mentions cookieStoreId, but the intent is for the method to be more generic and a viable replacement for fetch from a MV2 content script).