Clever Geek Handbook

Cross Domain Chrome Extension

I know this has been talked about many times here and I've read most of these threads, but I can't seem to get the script to work.

The problem is I am trying to use the bitly api to shorten urls in a google chrome extension. I am storing username and apiKey in localstorage and before that I validate them.

Code for this:

$.ajax({
        url:"http://api.bit.ly/v3/validate",
        dataType:'jsonp',
        data:{
            login: login,
            apiKey: apiKey,
            x_login :"test",
            x_apiKey :"test"
        },
        success:function (jo, textStatus, jqXHR) {
            if (jo.status_code == 200) {
                setItem('dg_BitlyApiKey', apiKey);
                setItem('dg_BitlyLogin', login);
                alert('Saved');
            } else {
                alert('Incorrect login and/or apiKey!')
            }
        }
    });

I have my permissions set to "permissions": ["tabs", "notifications", "http://*/*", "https://*/*"]

, but I still keep getting:

Refused to load script from 'http://api.bit.ly/v3/validate?callback=jQuery17204477599645033479_1334062200771&login=&apiKey=&x_login=test&x_apiKey=test&_=1334062201506' because of Content-Security-Policy.

The script itself runs outside of the extension, so I guess the problem is not with the script, but with the permissions.

What am I doing wrong here?

+5


source to share


4 answers


The problem is that you are not really making an XHR request, you are making a JSONP request on an insecure HTTP resource. See Question How to Load External JavaScript Inside Extension Popup and its associated Chromium Bug Report .

Yes, we no longer allow unsafe scripts in extensions. If you download a script over HTTP, an active network attacker could inject the script into your extension, which is a security vulnerability.



JSONP works by dynamically adding a script tag to your page and then executing the content. In your case, the script resource is fetched over HTTP (instead of HTTPS). If your extension uses version 2 of the extension's manifest, its background pages cannot fetch non-HTTPS scripts.

Solution: If you are using Bitly API over HTTPS I believe this will fix your problem. Send your Ajax call tohttps://api-ssl.bitly.com/v3/validate

(instead of the current value http://api.bit.ly/v3/validate

)

+6


source


You need to package your application / extension for cross-domain requests. The hosting application will not be able to fulfill cross-domain requests. Cm:



Cross-Origin XMLHttpRequest in chrome extensions

0


source


Also, starting in 2019, you have to send cross-requests from the background page.

See: https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

0


source


To make cross-origin queries in the Chrome extension, you must avoid cross-origin selections in content scripts.

You can find the complete answer at fooobar.com/questions/17134658 / ...

Or in the documentation https://www.chromium.org/Home/chromium-security/extension-content-script-fetches

0


source






More articles:


All Articles