XMLHttpRequest 在没有清单权限的情况下成功?也许CORS? [英] XMLHttpRequest succeeds without manifest permissions? Maybe CORS?
问题描述
我开发了一个使用 YouTube Data API v2 的 Google Chrome 扩展程序.我在清单中的权限字段看起来像这样,因为脚本被注入到 youtube.com 下的页面中,而且我还需要访问选项卡:
"permissions": ["tabs", "*://*.youtube.com/*"]当我向 YouTube Data API v2 发出请求时,这也有效,因为请求是针对 http://gdata.youtube.com/,所以是同一个域.但现在我正在迁移到 YouTube Data API v3,并且必须将请求发送到 http://www.googleapis.com/youtube/v3/(注意 HTTPS 而不是 HTTP).然而,令人惊讶的是,我的请求在没有添加任何新权限的情况下完美运行.
我知道,我问的问题似乎没有问题,但我个人认为我在我的软件中不理解的任何行为都是一个问题.为什么会发生这种情况?我是否不应该添加诸如 "*://*.googleapis.com/*" 之类的权限,以便我对 API 的 XMLHttpRequest 请求起作用?
我也有猜测之王:HTTP 访问控制标头.我的请求确实发送了一个 Origin 标头,其值为 chrome-extension://myExtensionId.来自 API 的答案还包含以下标题:
Access-Control-Allow-Origin: chrome-extension://myExtensionId
但这可能是 Chrome 允许我在没有清单中定义的任何额外权限的情况下执行跨源 XMLHttpRequest 的原因吗?不确定,而且显然 Google API、YouTube Data API v3 或 Chrome 扩展程序开发人员文档中没有任何记录.
如果 Chrome 没有在清单中找到权限,它会将请求视为正常请求.这意味着当设置了正确的 CORS 标头时,请求仍然会成功.否则,请求将因同源政策而失败.>
Google API JavaScript 库明确提到了对 CORS 的支持:
<块引用>提出请求:选项3
Google API 支持 CORS.请访问 CORS 页面,了解有关使用 CORS 发出请求的更多信息.
如果可能,我仍然建议将权限添加到清单文件.对于简单请求,这不会带来任何优势.对于非简单请求,这将使请求数量减半:非简单请求之前总是有预检 (OPTIONS) 请求,该请求检查是否允许客户端访问源.
通过在 manifest 文件中添加权限,Chrome 将不会回退到 CORS,并且始终使用一个网络请求来完成请求.太棒了!
但是……如果您是已经部署的扩展程序的作者,您可能会再想一想.当新的源权限添加到清单文件时,扩展将被禁用,直到用户批准扩展.对话框显示删除扩展程序"和启用"并排显示,因此有可能失去用户.
如果您愿意,您可以使用可选权限来解决这个问题,激活在选项页面.用通俗的语言清楚说明该选项会提高扩展的速度,不要忘记提到会请求额外的权限.
I have developed a Google Chrome extensions that uses YouTube Data API v2. My permission field in the manifest looks like this, because the script is injected in pages under youtube.com and I also need access to tabs:
"permissions": ["tabs", "*://*.youtube.com/*"]
This also works when I do a request to YouTube Data API v2 because the request is done to http://gdata.youtube.com/, so it is the same domain. But now I am migrating to YouTube Data API v3, and the requests must be done to http://www.googleapis.com/youtube/v3/ (note HTTPS instead of HTTP also). However, surprisingly, my requests are working perfectly without adding any new permission.
I know, I am asking something that doesn't seem to be a problem, but personally I consider any behavior that I don't understand in my software a problem. Why does this happen? Am I not supposed to add a permission such as "*://*.googleapis.com/*" in order for my XMLHttpRequest requests to the API to work?
I also have some king of guess about this: HTTP Access Control headers. My requests do send a Origin header with value chrome-extension://myExtensionId. And the answer from the API also contains the following header:
Access-Control-Allow-Origin: chrome-extension://myExtensionId
But could this be the reason Chrome is allowing me to do a cross-origin XMLHttpRequest without any extra permission defined in the manifest? Not sure, and apparently this is not documented anywhere in Google APIs, YouTube Data API v3 or Chrome Extensions developer documentation.
If Chrome does not find the permission in the manifest, it treats a request as a normal request. This means that a request will still succeed when the right CORS headers are set. Otherwise, a request will fail because of the same origin policy.
The Google API JavaScript library explicitly mentions support for CORS:
Making a request: Option 3
Google APIs support CORS. Please visit the CORS page for more information on using CORS to make requests.
If possible, I still recommend adding the permission to the manifest file. For simple requests, this does not bring any advantages. For non-simple requests, this will half the number of requests: Non-simple requests are always preceeded by a preflight (OPTIONS) request which checks if the client is permitted to access the source.
By adding the permission to the manifest file, Chrome will not fall back to CORS, and always use one network request to complete the request. Great!
However... you might think again if you're the author of an already-deployed extension. When new origin permissions are added to the manifest file, the extension will be disabled until the user approves the extension. The dialog box shows "Remove extension" and "Enable" next to each other, so there's a chance of loosing the user.
If you wish, you can overcome this problem by using an optional permission, activated at the options page. Clearly explain in layman language that the option will improve the speed of the extension, and don't forget to mention that additional permissions will be requested.
这篇关于XMLHttpRequest 在没有清单权限的情况下成功?也许CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
