The portal uses cross-origin resource sharing (CORS) to communicate to back-end services directly from the browser. We are working with our partner teams to get a full list of URLs required to manage your resources in the portal. Here are a few known URLs:
Please let us know if we missed any.Jan V. commented
To whitelist, it would be helpful to have information on the URLs used by extensions or azure services (mapping URL to extension/service). In that way, at least we can document and know why they are opened in the first place. Above, grouping in domains preferred over IPs/subnet as well (which regularly change).