XMLHttpRequest成功,没有清单权限?也许CORS? [英] XMLHttpRequest succeeds without manifest permissions? Maybe CORS?
问题描述
我开发了使用YouTube数据API v2 的Google Chrome扩展程序。清单中的我的权限字段看起来像这样,因为脚本注入了youtube.com下的网页,我还需要访问标签:
permissions:[tabs,*://*.youtube.com/*]
当我向YouTube数据API v2 发出请求时也会如此,因为请求已发送至 http://gdata.youtube.com/ ,因此它是同一个域。但现在我要迁移到YouTube数据API v3 ,并且请求必须完成 http://www.googleapis.com/youtube/v3/ (请注意 HTTPS 而不是HTTP)。但是,令人惊讶的是,我的请求无需添加任何新权限即可完美工作。
我知道,我问的东西似乎不是是一个问题,但我个人认为任何行为,我不明白在我的软件一个问题。为什么会发生这种情况?我不应该添加一个权限,例如*://*.googleapis.com/*为了我的XMLHttpRequest请求的API工作? p>
我也有猜测之王: HTTP访问控制标头。我的请求发送一个 Origin 头,值为 chrome-extension:// myExtensionId 。 API的答案还包含以下标题:
Access-Control-Allow-Origin:chrome-extension:// myExtensionId
但是这可能是Chrome允许我做一个跨源XMLHttpRequest,而没有在清单中定义任何额外的权限的原因?不确定,显然这在Google API,YouTube Data API v3或Chrome扩展开发者文档中没有记录。
Chrome在清单中找不到权限,它会将请求视为普通请求。这意味着,当设置了正确的 CORS 标头时,请求仍然会成功。否则,由于同源策略,请求将会失败。
Google API JavaScript程式库明确提及对CORS的支援:
发出请求:选项3
Google API支持CORS。请访问CORS网页,了解有关使用CORS提出请求的详情。
如果可能,我仍然建议向清单添加权限文件。对于简单请求,这没有任何优势。对于非简单请求,这将是请求数量的一半:非简单请求总是由预检(OPTIONS)请求检查,该请求检查客户端是否被允许访问源。
通过向清单文件添加权限,Chrome不会回退到CORS,并始终使用一个网络请求来完成请求。太棒了!
不过...如果您是已部署的扩展程序的作者,您可以再次考虑。将新源许可权添加到清单文件后,扩展将被禁用,直到用户批准扩展。
如果您愿意,您可以克服这个问题。您可以选择删除扩展程序和启用旁边的对话框通过在选项页面上激活的可选权限。以外行语言清楚地解释该选项将提高扩展的速度,并且不要忘记要求额外的权限。
I have developed a Google Chrome extensions that uses YouTube Data API v2. My permission field in the manifest looks like this, because the script is injected in pages under youtube.com and I also need access to tabs:
"permissions": ["tabs", "*://*.youtube.com/*"]
This also works when I do a request to YouTube Data API v2 because the request is done to http://gdata.youtube.com/, so it is the same domain. But now I am migrating to YouTube Data API v3, and the requests must be done to http://www.googleapis.com/youtube/v3/ (note HTTPS instead of HTTP also). However, surprisingly, my requests are working perfectly without adding any new permission.
I know, I am asking something that doesn't seem to be a problem, but personally I consider any behavior that I don't understand in my software a problem. Why does this happen? Am I not supposed to add a permission such as "*://*.googleapis.com/*" in order for my XMLHttpRequest requests to the API to work?
I also have some king of guess about this: HTTP Access Control headers. My requests do send a Origin header with value chrome-extension://myExtensionId. And the answer from the API also contains the following header:
Access-Control-Allow-Origin: chrome-extension://myExtensionId
But could this be the reason Chrome is allowing me to do a cross-origin XMLHttpRequest without any extra permission defined in the manifest? Not sure, and apparently this is not documented anywhere in Google APIs, YouTube Data API v3 or Chrome Extensions developer documentation.
If Chrome does not find the permission in the manifest, it treats a request as a normal request. This means that a request will still succeed when the right CORS headers are set. Otherwise, a request will fail because of the same origin policy.
The Google API JavaScript library explicitly mentions support for CORS:
Making a request: Option 3
Google APIs support CORS. Please visit the CORS page for more information on using CORS to make requests.
If possible, I still recommend adding the permission to the manifest file. For simple requests, this does not bring any advantages. For non-simple requests, this will half the number of requests: Non-simple requests are always preceeded by a preflight (OPTIONS) request which checks if the client is permitted to access the source.
By adding the permission to the manifest file, Chrome will not fall back to CORS, and always use one network request to complete the request. Great!
However... you might think again if you're the author of an already-deployed extension. When new origin permissions are added to the manifest file, the extension will be disabled until the user approves the extension. The dialog box shows "Remove extension" and "Enable" next to each other, so there's a chance of loosing the user.
If you wish, you can overcome this problem by using an optional permission, activated at the options page. Clearly explain in layman language that the option will improve the speed of the extension, and don't forget to mention that additional permissions will be requested.
这篇关于XMLHttpRequest成功,没有清单权限?也许CORS?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
