1

I have a chrome extension and in the content-script file I have something like this:

$(document).ready(function() {
var currentHostname = cleanHostname(window.location.hostname);

$.ajax({
    url:    BASEURL + 'checkSite',
    dataType: 'json',
    method: 'get',
    data: {'hostname': currentHostname},
    success: function(data) {
        data = JSON.parse(data);
        console.log(data);
    }
});
});

This code works great on non-https site, as chrome allows non-https resources to be allowed on them. However, whenever I go to an https site I get this:

Mixed Content: The page at 'https://www.google.com/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://localhost:8000/checkSite?hostname=google.com'. This request has been blocked; the content must be served over HTTPS.

Which makes total sense. I understand this policy. But I think that an extension should get special treatment. How do I work around this? I've considered using background.js to do all the ajax and then do message passing, but I would strongly like to avoid that, but I will if needed.

Does anyone know?

Jaxkr
  • 1,236
  • 2
  • 13
  • 33
  • You have to run the ajax request in the background of the chrome extension. You can pass a message back to do this: https://developer.chrome.com/extensions/messaging – Brian Jul 04 '15 at 11:57
  • Really? only way? I implemented this, but it doesn't feel clean. – Jaxkr Jul 05 '15 at 07:35

2 Answers2

1

From Here :

Requesting cross-origin permissions

permissions By adding hosts or host match patterns (or both) to the permissions section of the manifest file, the extension can request access to remote servers outside of its origin.

{
  "name": "My extension",
  ...
  "permissions": [
    "http://www.google.com/"
  ],
  ...
}
joey rohan
  • 3,505
  • 5
  • 33
  • 70
0

I have solved my issue by following @Brian's advice.

I just did all the ajax in background.js and used message passing to communicate with my content script.

Jaxkr
  • 1,236
  • 2
  • 13
  • 33