Access-Control-Allow-Origin不检入铬扩展 [英] Access-Control-Allow-Origin not checking in chrome extension
问题描述
XMLHttpRequest无法加载http://mysite.com/test.php。 Access-Control-Allow-Origin不允许使用Origin
http://127.0.0.1:8888。
我正在创建Chrome扩展,它应该向我的网站发送请求。首先,我也希望看到上面的消息。但我很困惑,当我看到它工作正常。
首先,它看起来不错,它工作,我有我想要的。但它可能是可怕的。每个人都可以用这种方式(只是一个简单的脚本)攻击我的网站并获取它的数据。
当然,抓取也可能以其他方式发生。
我是api编程和chrome扩展的新手。任何人都可以告诉我方式吗?
manifest.json
{
manifest_version:2,
name:MyTestExtension,
description:此扩展用于测试,
version:1.0 ,
图标:{
128:icon.png
},
browser_action:{
default_icon:icon.png
,
permissions:[
tabs,
*:// * / *
],
content_scripts :[
{
matches:[*:// * / *],
js:[jquery-1.7.2.min.js,content_script .js],
run_at:document_end
}
]
}
content_script.js
$(document).ready(function(){
$('html')。mouseup(function(){
var selectedText = getSelectedText();
if(selectedText>''){
my_syncTest(selectedText)// here :选择的测试发送到我的网站
}
});
function getSelectedText(){
if(window.getSelection){
var selection = window.getSelection()。toString();
if(selection.trim()>''){
return selection;
}
} else if(document.selection){
var selection = document.selection.createRange()。text;
if(selection.trim()>''){
return selection;
}
}
return'';
}});
function my_syncTest(word){
var qs ='word ='+ word +'& header = 555& simwords = 1';
$ .ajax(
{
类型:POST,
url:'http://mysite.com/test.php',
dataType:' json',
data:qs,
成功:函数(res){
console.log(res.success + - + res.idWord + - + res.header + - + res.meaning);
}});
}
XMLHttpRequests来自您的扩展工作,您在清单中定义了这些权限:
permissions:[
*:// * / *
]
当用户安装您的扩展程序时,他会被告知该扩展程序可以访问他的所有网站上的数据。我更喜欢只包含您需要的确切网站而不是通配符。
http://developer.chrome.com/extensions/xhr.html
这种机制是为了保护用户,而不是保护你的网站。如果您不希望每个人都使用您的API,请使用API密钥,或者查看oAuth: b
$ b
http://en.wikipedia.org/wiki/OAuth
如果您想了解更多关于跨源请求:
http://en.wikipedia.org/wiki/Cross -origin_resource_sharing
https:/ /developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
As you know, when send $.ajax(..) request to another domain (cross-domain), most browser throw exception like:
XMLHttpRequest cannot load http://mysite.com/test.php. Origin
http://127.0.0.1:8888 is not allowed by Access-Control-Allow-Origin.
I am creating chrome extension and it should send a request to my website. First , i expected to see above message,too. But i confused when i see it worked fine.
First, It’s seem good, it’s working and i have what i want. But it can be horrible. Every one can use such way (only a simple script) to attack my site and grab its data.
Of course, grabbing could be happen in other ways, too. I am new in api programing and chrome extension. Do anyone may show me the way?
manifest.json
{
"manifest_version": 2,
"name": "MyTestExtension",
"description": "this extension is for test",
"version": "1.0",
"icons": {
"128": "icon.png"
},
"browser_action": {
"default_icon": "icon.png"
},
"permissions": [
"tabs" ,
"*://*/*"
],
"content_scripts": [
{
"matches": ["*://*/*"],
"js": ["jquery-1.7.2.min.js","content_script.js"],
"run_at": "document_end"
}
]
}
content_script.js
$(document).ready(function(){
$('html').mouseup(function() {
var selectedText = getSelectedText();
if(selectedText > ''){
my_syncTest(selectedText) // here : selected test send to my site
}
});
function getSelectedText() {
if (window.getSelection) {
var selection = window.getSelection().toString();
if(selection.trim() > ''){
return selection;
}
} else if (document.selection) {
var selection = document.selection.createRange().text;
if(selection.trim() > ''){
return selection;
}
}
return '';
} });
function my_syncTest(word){
var qs = 'word='+word+'&header=555&simwords=1';
$.ajax(
{
type: "POST",
url: 'http://mysite.com/test.php',
dataType: 'json',
data : qs,
success:function(res){
console.log(res.success +" - "+ res.idWord + " - " + res.header +" - " + res.meaning);
}});
}
XMLHttpRequests from your extension work because you defined these permissions in the manifest:
"permissions": [
"*://*/*"
]
When a user installs your extension, he is informed that this extension can access his data on all sites. I prefer only including the exact site you need instead of wildcards.
http://developer.chrome.com/extensions/xhr.html
This mechanism is to protect the user, not to protect your site. If you don't want everybody to use your API, use API-keys, or look into oAuth:
http://en.wikipedia.org/wiki/OAuth
If you want to learn more about cross origin requests:
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS
这篇关于Access-Control-Allow-Origin不检入铬扩展的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
