0

My extension can download a file through this url: https://docs.google.com/get_video_info?authuser=&docid=....

But when I use it in javascript, without being in an extension I have problem with CORS.

Both use the same code:

$.ajax({
     type: "GET",
     url: 'https://docs.google.com/get_video_info?authuser=&docid=',
});

Is there any way I can add CORS permission with or without user censorship other than in an extension, as is done in manifest.json?

user9022531
  • 107
  • 1
  • 2
  • AFAIK, cors is controlled on the server side, the client js code has no mean to bypass csp. – obfish May 06 '19 at 03:29
  • because when I use the same call in javascript but in an extension does it work? there is no way I can use it without being in an extension to the chrome? – user9022531 May 06 '19 at 03:33
  • 1
    CORS is controlled on the server side, thus this is impossible. You might be able to achieve what you want to do through the [Google API](https://developers.google.com/docs/api/) – Andrei Savin May 06 '19 at 03:43
  • 1
    Extension is a privileged js runtime where CSP can be turned off. But a common js runtime is not trusted by the browser by default. I am not familiar with the google docs api. Maybe some apis with cors support exist. If not, your js code will have no means to access the response content, however downloading is achievable (add an a tag to dom and click it). – obfish May 06 '19 at 03:46
  • um, I understand, is not there a way to request the release of CSP access for the user when they log in to my site? – user9022531 May 06 '19 at 03:51
  • You can try changing your code to instead have this: `url: 'https://cors-anywhere.herokuapp.com/https://docs.google.com/get_video_info?authuser=&docid='`. And for an explanation, see the *How to use a CORS proxy to get around “No Access-Control-Allow-Origin header” problems* section of the answer at https://stackoverflow.com/a/43881141/441757 – sideshowbarker May 06 '19 at 04:50
  • yes that works, but google docs creates a specific DRIVE_STREAM cookie on the browser that requests it, so making the call will not work because when I access the URL I receive unauthorized access. – user9022531 May 06 '19 at 06:20

0 Answers0