Reputation: 145
Chrome extension ignores XMLHttpRequest.withCredentials field
I am developing a Chrome extension that makes XMLHttpRequest's on various sites but I notice that my browser ignores the field "withCredentials". Whether this is set to true or false, the response is always the same and contains the web page as it was requested by a simple url navigation through the browser.
Manifest:
"background": {
"scripts": ["jquery.min.js", "daemon.js"],
"persistent": true
},
"permissions": [
"<all_urls>"
]
Inside daemon.js:
var xhr = new XMLHttpRequest();
xhr.open("GET", 'http://stackoverflow.com/', true);
xhr.withCredentials = false;
xhr.onload = function(e) {
$('body').html(xhr.responseText);
}
xhr.send();
This will return stackoverflow.com being loaded with my username inside some DOM element despite setting withCredentials to false. My questions are:
- Is this a working as intended behavior?
- If yes, is there a workaround for this? Making http requests from inside an extension but ignoring cookies or other session information? (UPDATE: ignoring all credential information like client-side certificates or http authentication)
I'm using latest (22.0.1229.79 m) Chrome.
Upvotes: 3
Views: 2809
Answers (2)
Reputation: 38378
You need to whitelist API endpoint(s) in your Chrome extension. Example:
{
"name": "My extension",
...
"host_permissions": [
"https://stackoverflow.com/"
],
...
}
See Requesting cross-origin permissions
Upvotes: 0
Reputation: 349042
Yes, this (the action of credentials being sent) is intended behaviour. The XMLHttpRequest level 2 specification #withCredentials says (it's the last line of the section):
The withCredentials attribute has no effect when fetching same-origin resources.
Apparently, code run in Chrome extension's context with sufficient permissions (manifest file) cause the property to behave the same as if the request was made from the same origin.
I've checked if fetching the request from the background page solved anything, and concluded that it does not help. If the other site supports CORS (through headers), then the solution is to not mention the site at the "permissions" section of the manifest file.
All of the other options are highlighted in this answer.
If none of the methods are satisfying, then the answer to question two is "No, there is no workaround".
Upvotes: 2
Related Questions
- chrome.webRequest.onAuthRequired Listener
- Chrome extension XMLHttpRequest: Content Security Policy directive
- javascript Chrome Extension Not able to read httponly cookies
- Chrome ignores Set-Cookie response headers from XMLHttpRequest within extension
- XMLHttpRequest not working in google chrome extension
- Chrome extension bug that could be related to cross-origin permissions
- Send XHR request from Chrome extension with cookies
- Integrating web app with chrome extension
- XMLHttpRequest in Chrome Extension with HTTP Authorization continues to send Authorization Header on regular pages
- Chrome extension authentication