15

The users of our website run our Chrome plugin which, amongst other things, performs cross-origin requests via XMLHttpRequest as described on the Chrome extension development pages. This has been running just fine for a few years now. However, ever since our users upgraded to the latest version of Chrome (v38), these requests have failed. Our site runs on HTTPS and some of the URLs loaded via our content script are on HTTP. The message is:

[blocked] The page at 'https://www.ourpage.com/' was loaded over HTTPS, but ran insecure content from 'http://www.externalpage.com': this content should also be loaded over HTTPS.

The reported line where the error occurred is in the content script where I'm issuing the HTTP call:

xhr.send(null);

I have no control over the external page and I would rather not remove SSL from our own page. Question: Is this a bug or is there a workaround that I am not aware of?

(Note: The permissions in the manifest were always set to <all_urls> which had worked for a long time. Setting it to http://*/ and https://*/ did not help.)

Oliver
  • 2,184
  • 3
  • 21
  • 24

1 Answers1

10

If possible, use the https version of that external page.

If that is not possible, use the background page to handle the AJAX request (example).

Rob W
  • 341,306
  • 83
  • 791
  • 678
  • @RobW I added my background and scrip.js file in `web_Accessible_resources` still getting `mixed content` error. – Volatil3 May 07 '15 at 11:21
  • 1
    @Volatil3 Use the method with the background page. My previous suggestion doesn't work because mixed content restrictions propagate to child frames. – Rob W May 07 '15 at 11:43
  • @RobW, this your suggestion _use the background page to handle the AJAX request_ still is working? I have tested here with Google Chrome 51 but don't is working. –  Aug 08 '16 at 00:52
  • @Franciscocamilo Yes. I did `fetch('http://example.com').then(r => r.text()).then(t => console.log(t))` in the background page in Chrome 52, and the content of example.com was printed. Did you add the permissions for accessing the site for which you're requesting content, including redirects if any? – Rob W Aug 08 '16 at 03:07