Cross-Origin XMLHttpRequest not working in Chrome Packaged App despite having url in permissions

Question

I'm having a similar issue to this other question on SO, "XMLHttpRequest not working in Google Chrome Packaged Web App". However, the selected answer is not working for me. I do have the url that I'm trying to request listed in the manifest permissions. I have a feeling this has to do with cross-site-scripting prevention, as I read about in the Cross-Origin XMLHttpRequest and Embed Content docs for Chrome.

When I inspect the response, everything's empty, no status code, no response, no statusText, just like what happens when trying to make a request across domains as in XSS, as seen in this SO question: Empty responseText from XMLHttpRequest.

Here's my manifest:

{
    "manifest_version" : 2,
    "name": "{name}",
    "description" : "{description}",
    "version" : "0.1",
    "minimum_chrome_version": "23",

    "permissions": [
        "idle",
        "storage",
        "notifications",
        "https://prefix.domain.suffix/*",
        "https://prefix.domain.suffix/sub/"
    ],

    "app": {
        "background": {
          "scripts": ["models.js", "background.js"]
        }
    },


    "icons": { "16": "icon-16.png", "128": "icon-128.png" }
}

I'm using this function to do the requests:

function xhr(url, callback){
    var timeout= 2000;
    var xhr = new window.XMLHttpRequest();
    xhr.ontimeout = function () {
        console.error("The request for " + url + " timed out.");
    };
    xhr.onerror = function(){
        console.error("error: "+xhr.statusText);
    }
    xhr.onload = function() {
        if (xhr.readyState === 4) {
            if (xhr.status === 200) {
                window.console.log("response: "+xhr.response);
                callback(JSON.parse(xhr.response));
            } else {
                console.error(xhr.statusText);
            }
        }
    };
    xhr.open("GET", url, true);
    xhr.timeout = timeout;
    xhr.send(null);
}

The url I'm trying to request is fairly basic with some query string parameters tacked on the end and looks like this:

https://prefix.domain.suffix/sub/serve.aspx?param1=val1&param2=val2

Which, when loaded in the browser, returns simple and valid JSON:

{
    "ret" : [

        { "date": 1380603600000, "foo": bar1 }, 
        { "date": 1380776400000, "foo": bar2 }
    ]
}

The function I'm using to test in the developer console is this:

xhr('https://prefix.domain.suffix/sub/serve.aspx?param1=val1&param2=val2', function(e){ console.log(e); });

All that is printed to the console is error:, and xhr at that moment is:

XMLHttpRequest {statusText: "", status: 0, response: "", responseType: "", responseXML: null…}

One other thing which may need to be considered is that this url I'm requesting is behind authentication on my server. I'm logged in and am able to access the page, regardless of which tab I'm using, so I don't think that's the problem, but it still might be.

Answer 1

Apps don't share your browser's cookie store. They're like native apps in that respect. So your last paragraph is likely the issue. Change to a server that doesn't require authentication as a test to confirm it. Then investigate chrome.identity.

Answer 2

 if (window.XMLHttpRequest)
            {// code for IE7+, Firefox, Chrome, Opera, Safari
                xmlhttp = new XMLHttpRequest();
            }
            else
            {// code for IE6, IE5
                xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
            }

try this...