CODEWITHSUNDEEP
google-chromegoogle-chrome-extension
vishesh
vishesh

Reputation: 2045

cross domain request in injected script from chrome extension

I am writing a chrome extension that injects an iframe in the open tab and loads a url in it.The url to be loaded is not on the same domain as the opened page in the tab is.I am using following code :

--menifest.json--

"background" : {
    "scripts": ["background.js"]
  },
  "permissions": [
    "tabs", "http://*/", "https://*/"
  ]

--background.js--

chrome.browserAction.onClicked.addListener(function(tab) {
    chrome.tabs.executeScript(null,
                           {file:"logic.js"});
});

--logic.js--

var newdiv = document.createElement('div');
var iframe = document.createElement('iframe');
iframe.setAttribute('src','http://google.co.in');
newdiv.appendChild(iframe);
document.body.appendChild(newdiv);

this works only when the curent page is http://google.co.in and not on other pages.So I am hitting cross domain issues.but as far as I know,extensions can make the cross domain requests,then how to do it?Please help.

Upvotes: 1

Views: 651

Answers (1)

Sudarshan
Sudarshan

Reputation: 18564

Google uses X-Frame-Options header, many websites make use of them as a best practise

There are three possible values for X-Frame-Options:

  • DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
  • ALLOW-FROM uri The page can only be displayed in a frame on the specified origin.

Google uses SAMEORIGIN Value, so this works only when the curent page is http://google.co.in.

So, you are not hitting cross domain issues and Yes extensions can make the cross domain requests.

Upvotes: 2

Related Questions