Chrome扩展程序跨网域请求 [英] Chrome extension Cross Domain Request

问题描述

我知道这里已经谈过很多次了，我已经阅读了大多数这些线程，但我似乎不能让我的脚本工作。

问题是，我试图使用bitly api缩短google chrome扩展中的urls。我在localstorage保存用户登录和apiKey，在我这样做之前，我验证他们。

这样做的代码是：

  $。ajax {
 url：http://api.bit.ly/v3/validate，
 dataType：'jsonp'，
 data：{
 login：login，
 apiKey：apiKey，
 x_login：test，
 x_apiKey：test
}，
 success：function（jo，textStatus，jqXHR）{
 if（jo.status_code == 200）{
 setItem（'dg_BitlyApiKey'，apiKey）; 
 setItem（'dg_BitlyLogin'，login）; 
 alert（'Saved'）; 
} else {
 alert（'Incorrect login and / or apiKey！'）
} 
} 
}）; 
  

我的权限设置为permissions ，notifications，http：// * / *，https：// * / *] ，但我仍然得到：

 拒绝从http://api.bit.ly/v3/validate?callback=jQuery17204477599645033479_1334062200771&login=&apiKey=&x_login=test&x_apiKey= test& _ = 1334062201506'因为内容安全策略。 
  

脚本本身在扩展名之外工作，所以我认为问题不在脚本内，

解决方案

我在这里做错了什么？问题是你没有真正做一个XHR请求，你在一个不安全的HTTP资源上做一个JSONP请求。请参阅如何在扩展程序中加载外部JavaScript弹出式窗口和相关的 Chromium错误报告。 / p>

是的，我们不再允许在扩展程序中使用不安全的脚本。

JSONP运行在一个安全漏洞中。通过向您的网页动态添加新的脚本代码，然后执行内容。在您的情况下，脚本资源通过HTTP（而不是HTTPS）提取。如果您的扩展程序使用版本2的扩展清单，其后台网页无法抓取非HTTPS脚本。

解决方案：如果您使用Bitly通过HTTPS的API，我相信这将解决您的问题。 将您的Ajax调用发送到 https://api-ssl.bitly.com/v3/validate （而不是您当前的值 http://api.bit.ly/v3/validate ）

I know that this has been talked about many times here, and I have read most of these threads but I can't seem to get my script working.

Problem is that I am trying to use bitly api to shorten urls in google chrome extension. I am saving users login and apiKey in localstorage and before I do so I validate them.

The code to do so is:

$.ajax({
        url:"http://api.bit.ly/v3/validate",
        dataType:'jsonp',
        data:{
            login: login,
            apiKey: apiKey,
            x_login :"test",
            x_apiKey :"test"
        },
        success:function (jo, textStatus, jqXHR) {
            if (jo.status_code == 200) {
                setItem('dg_BitlyApiKey', apiKey);
                setItem('dg_BitlyLogin', login);
                alert('Saved');
            } else {
                alert('Incorrect login and/or apiKey!')
            }
        }
    });

I do have my permissions set to "permissions": ["tabs", "notifications", "http://*/*", "https://*/*"] but I still keep getting:

Refused to load script from 'http://api.bit.ly/v3/validate?callback=jQuery17204477599645033479_1334062200771&login=&apiKey=&x_login=test&x_apiKey=test&_=1334062201506' because of Content-Security-Policy.

The script itself works outside the extension so I assume the problem isn't within the script but with the permissions.

What am I doing wrong here?

解决方案

The problem is that you aren't really doing a XHR request, you're doing a JSONP request on an insecure HTTP resource. See the question How to load an external JavaScript inside an extension popup and the related Chromium bug report.

Yeah, we're no longer allowing insecure scripts in extensions. If you load a script over HTTP, an active network attacker can inject script into your extension, which is a security vulnerability.

JSONP operates by dynamically adding a new script tag into your page and then executing the contents. In your case, the script resource is fetched over HTTP (instead of HTTPS). If your extension uses version 2 of the extension manifest, its background pages cannot fetch non-HTTPS scripts.

Solution: If you use the Bitly API over HTTPS, I believe that will fix your issue. Send your Ajax call to https://api-ssl.bitly.com/v3/validate (instead of your current value of http://api.bit.ly/v3/validate)

这篇关于Chrome扩展程序跨网域请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！