Cross Domain Chrome Extension
I know this has been talked about many times here and I've read most of these threads, but I can't seem to get the script to work.
The problem is I am trying to use the bitly api to shorten urls in a google chrome extension. I am storing username and apiKey in localstorage and before that I validate them.
Code for this:
$.ajax({
url:"http://api.bit.ly/v3/validate",
dataType:'jsonp',
data:{
login: login,
apiKey: apiKey,
x_login :"test",
x_apiKey :"test"
},
success:function (jo, textStatus, jqXHR) {
if (jo.status_code == 200) {
setItem('dg_BitlyApiKey', apiKey);
setItem('dg_BitlyLogin', login);
alert('Saved');
} else {
alert('Incorrect login and/or apiKey!')
}
}
});
I have my permissions set to "permissions": ["tabs", "notifications", "http://*/*", "https://*/*"]
, but I still keep getting:
Refused to load script from 'http://api.bit.ly/v3/validate?callback=jQuery17204477599645033479_1334062200771&login=&apiKey=&x_login=test&x_apiKey=test&_=1334062201506' because of Content-Security-Policy.
The script itself runs outside of the extension, so I guess the problem is not with the script, but with the permissions.
What am I doing wrong here?
source to share
The problem is that you are not really making an XHR request, you are making a JSONP request on an insecure HTTP resource. See Question How to Load External JavaScript Inside Extension Popup and its associated Chromium Bug Report .
Yes, we no longer allow unsafe scripts in extensions. If you download a script over HTTP, an active network attacker could inject the script into your extension, which is a security vulnerability.
JSONP works by dynamically adding a script tag to your page and then executing the content. In your case, the script resource is fetched over HTTP (instead of HTTPS). If your extension uses version 2 of the extension's manifest, its background pages cannot fetch non-HTTPS scripts.
Solution: If you are using Bitly API over HTTPS I believe this will fix your problem. Send your Ajax call tohttps://api-ssl.bitly.com/v3/validate
(instead of the current value http://api.bit.ly/v3/validate
)
source to share
Also, starting in 2019, you have to send cross-requests from the background page.
See: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches
source to share
To make cross-origin queries in the Chrome extension, you must avoid cross-origin selections in content scripts.
You can find the complete answer at fooobar.com/questions/17134658 / ...
Or in the documentation https://www.chromium.org/Home/chromium-security/extension-content-script-fetches
source to share