1

I'm currently writing a Chrome extension that sends an HTTP request to a third-party API in order to show some data on the page, inside a DOM element.

However, I've run into an issue where Chrome blocks the HTTP request, because the page was loaded over HTTPS, and the API I'm using only supports HTTP. Specifically, the error I'm getting is this:

Mixed Content: The page at 'https://www.reddit.com/r/anime/comments/3d2g2u/merch_mondays_megathread_week_of_july_13_2015/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://myanimelist.net/malappinfo.php?u=TalesOhneNamen&status=all&type=anime'. This request has been blocked; the content must be served over HTTPS.

Obviously I understand why mixed requests are blocked for JS provided by the page itself, but is there a way to disable this for extensions? It would be a little ridiculous if the extension could only function on pages loaded over HTTP..

Veselin Romić
  • 703
  • 6
  • 11
  • 1
    I can not help on the matter. But FWIW, I don't think this limitation is ridiculous. It is there for a reason: your extension could send content from that encrypted page over an unencrypted connection. This is a violation of the security model and must be avoided. I guess that's the reason why Chrome is blocking it. – Kaii Jul 13 '15 at 21:50
  • I see what you mean, I guess I just figured extensions were considered 'separate' from the page enough to not be affected by security measures like this. Or, at least, that extension developers were afforded more freedom in making that decision themselves. Well, I'm probably dropping this project if this is really an insurmountable issue. Not really much point in an extension that only works about half of the time. – Veselin Romić Jul 13 '15 at 22:00
  • 2
    You could always run a simple proxy server somewhere like Heroku that supports HTTPS for free and make your extension requests through there. – abraham Jul 14 '15 at 03:58
  • Ah, I was actually thinking about that, but I couldn't think of a cloud platform that supported HTTPS on the free tier. Thanks, I'll have a look at that. – Veselin Romić Jul 14 '15 at 10:39

0 Answers0