0

I'm writing an extension that requests XML content from a server and displays data in a popup/dialog window. I've added the website to my manifest.json permissions like so:

"permissions": [
    "http://*/*"
],

Later I added the following code to my background page:

function loadData() {
var url = "http://www.foo.com/api/data.xml";
var xhr = new XMLHttpRequest();
xhr.open('GET', url, true);
...
xhr.send();

the problem is, that I get the cross-site security error "Origin chrome-extension://kafkefhcbdbpdlajophblggbkjloppll is not allowed by Access-Control-Allow-Origin. "

The thing is, with "http:///" in the permissions I can request "http://www.foo.com/api", but I can't find any way to allow "http://www.foo.com/api/data.xml". I've tried both "http:////*" and http://www.foo.com/api/data.xml" in the "permissions". What else should I be doing?

dana
  • 17,267
  • 6
  • 64
  • 88
Black
  • 5,023
  • 6
  • 63
  • 92
  • Apparently this is a way to tell you that the resource you're trying to access is not available to you in JS, due to a security policy on foo.com side. See http://stackoverflow.com/a/13400954/2698119 for more details. – Métoule Oct 05 '13 at 08:22
  • I appreciate your input, but I tried the same thing with a plain XML file on a server with no special policies at http://111.67.19.141:8080/api/data.xml, and the same behaviour was observed – Black Oct 05 '13 at 09:31
  • It seems that this policy is enforced by default. Your file is served without `Access-Control-Allow-Origin:*`, so you can't access it. Try adding that response header to your HTTP response. – Métoule Oct 05 '13 at 09:46
  • That does seem to allow me to make the request and retrieve the data. It's bad news for me though, as I have no control over the actual server I'm trying to get data from. So it's a dead-end for me without a work-around. Do you want to submit the info in the form of an 'Answer' rather than a 'Comment', so I can accept it? – Black Oct 05 '13 at 10:20

1 Answers1

0

This should work (SOP doesn't apply to chrome extensions),so there are three possibilities:

There is some mistake somewhere

Just to make sure use add <all urls> permission and check that extension really have this permission. (e.g. execute chrome.runtime.getManifest() in console when inspecting background page )

Server itself is checking Origin header and is rejecting request if origin value is unexpected

You can quickly check this by using some http tester and sending request manually (for example Dev Http Client for chrome, since I'm one of the developers). If it shows the same error, it means that the server is really checking origin header.

To fix this you will have to make server somehow accept your origin , or you can use chrome.webRequest to set valid origin header to all the requests sent to the target server (standard XHR api doesn't allow modification of Origin header)

Chrome bug

Well in this case you can only report this error and wait for the best

jusio
  • 9,850
  • 1
  • 42
  • 57