From the other end, yes extensions access all page data, but pages shouldn't access extension data at all; it feels like that should be the CORS violation.
You have it backwards. For an extension to work on a page, it's data/code needs to be accessible from said page. If your extension server in chrome enforced CORS to prevent access from tabs on other websites, extensions wouldn't work anywhere.
