1

I am trying to write a Google Chrome Extension. In my manifest.json, I have the following line;

  "content_security_policy": "script-src 'self' https://ajax.googleapis.com https://api.uber.com; object-src 'self'",

When I do an jQuery Ajax call to "https://api.uber.com/v1/estimates/time", I am getting;

Failed to load resource: the server responded with a status of 405 (Method Not Allowed)
albooker.html:1 XMLHttpRequest cannot load https://api.uber.com/v1/estimates/time...... 

No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome-extension://elgjhbhandpgpankfcdmlmndilgledee' is therefore not allowed access. The response had HTTP status code 405.

AJAX code; 

$.ajax({ 
type: "GET", 
dataType: "json", 
url: uberURL, 
success: function( jsondata ) { 
// Call function to display details 
alert(JSON.stringify(jsondata)); 
}

I have pasted the generated URL uberURL into a browser and that returns the expected data. –

Am I doing this the correct way? Thanks

Andrew Spiers
  • 35
  • 6
  • This sounds like you're trying to POST instead of GET. Can you show your AJAX code? – Xan Jun 27 '15 at 15:08
  • I was doing a POST instead of a GET. I have changed in and reduced the errors from 2 to 1; `XMLHttpRequest cannot load https://api.uber.com/v1/estimates/time?start_latitude=51.5269722&start_longitude=-0.1394349&server_token=xxxxxxx. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'chrome-extension://elgjhbhandpgpankfcdmlmndilgledee' is therefore not allowed access.` – Andrew Spiers Jun 27 '15 at 15:22
  • Please edit your question; code is unreadable in comments. – Xan Jun 27 '15 at 15:24
  • Quick check, have you reloaded the extension after modifying the CSP string? – Xan Jun 27 '15 at 15:58
  • Yep, both reload and deleted and readded. – Andrew Spiers Jun 27 '15 at 16:00
  • possible duplicate of ["No 'Access-Control-Allow-Origin' header is present on the requested resource"](http://stackoverflow.com/questions/20035101/no-access-control-allow-origin-header-is-present-on-the-requested-resource) – Jan Jun 27 '15 at 16:01
  • @AndrewSpiers Sorry I didn't realize the obvious. rsanchez is correct; you don't even need the CSP entry for Uber. – Xan Jun 27 '15 at 16:37

1 Answers1

1

Adding URLs to the Content Security Policy allows you to execute code from those websites. If you want to be able to make Ajax calls instead, you need to add them to the permissions section of your manifest:

permisions: ["https://api.uber.com/"]
rsanchez
  • 14,467
  • 1
  • 35
  • 46