4

I've written a Chrome Extension for my library. It makes an AJAX call to api.library.edu (school's library).

My extension uses jQuery and my code looks like this:

$.get("http://api.library.edu/?period=1month", function (data) {
    // process data
});

When I load my Extension, it makes the AJAX call and I get data back.

Right now I give absolutely no permissions to my extension (permissions is []).

Is my extension going to work when I publish it? Shouldn't it require special permissions to make AJAX calls with jQuery?

Thanks! I'm just making sure I wrote my extension correctly.

Maximillian Laumeister
  • 19,884
  • 8
  • 59
  • 78
bodacydo
  • 75,521
  • 93
  • 229
  • 319

1 Answers1

3

Your extension does not need any additional permissions to make AJAX calls from within the same origin. However, if api.library.edu does not set the proper CORS headers, you may need to request cross-origin permission for that domain:

{
  "name": "My extension",
  ...
  "permissions": [
    "http://api.library.edu/"
  ],
  ...
}

From Google's Docs:

Each running extension exists within its own separate security origin. Without requesting additional privileges, the extension can use XMLHttpRequest to get resources within its installation.

...

By adding hosts or host match patterns (or both) to the permissions section of the manifest file, the extension can request access to remote servers outside of its origin.

If your extension is already working though, that would lead me to believe that the library API already has cross-domain headers set, and that you will not need any additional permissions.

Community
  • 1
  • 1
Maximillian Laumeister
  • 19,884
  • 8
  • 59
  • 78
  • 2
    Thanks. Now I know why it works. I asked sysadmin of `api.library.edu` to set `Access-Control-Allow-Origin: *` this header a month ago. He did that and it that's why it works. – bodacydo Aug 04 '15 at 01:01