OLD | NEW |
1 <div id="pageData-name" class="pageData">Cross-Origin XMLHttpRequest</div> | 1 <div id="pageData-name" class="pageData">Cross-Origin XMLHttpRequest</div> |
2 | 2 |
3 <!-- BEGIN AUTHORED CONTENT --> | 3 <!-- BEGIN AUTHORED CONTENT --> |
4 <p id="classSummary"> | 4 <p id="classSummary"> |
5 Regular web pages can use the | 5 Regular web pages can use the |
6 <a href="http://www.w3.org/TR/XMLHttpRequest/">XMLHttpRequest</a> | 6 <a href="http://www.w3.org/TR/XMLHttpRequest/">XMLHttpRequest</a> |
7 object to send and receive data from remote servers, | 7 object to send and receive data from remote servers, |
8 but they're limited by the | 8 but they're limited by the |
9 <a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin policy</a>
. | 9 <a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin policy</a>
. |
10 Extensions aren't so limited. | 10 Extensions aren't so limited. |
(...skipping 18 matching lines...) Expand all Loading... |
29 in a <code>config_resources</code> folder, the extension can retrieve the file's
contents like | 29 in a <code>config_resources</code> folder, the extension can retrieve the file's
contents like |
30 this:</p> | 30 this:</p> |
31 | 31 |
32 <pre> | 32 <pre> |
33 var xhr = new XMLHttpRequest(); | 33 var xhr = new XMLHttpRequest(); |
34 xhr.onreadystatechange = handleStateChange; // Implemented elsewhere. | 34 xhr.onreadystatechange = handleStateChange; // Implemented elsewhere. |
35 xhr.open("GET", chrome.extension.getURL('/config_resources/config.json'), true); | 35 xhr.open("GET", chrome.extension.getURL('/config_resources/config.json'), true); |
36 xhr.send(); | 36 xhr.send(); |
37 </pre> | 37 </pre> |
38 | 38 |
| 39 <p class="caution"> |
| 40 <b>Bug note:</b> |
| 41 Until <a href="http://crbug.com/41024">bug 41024</a> is fixed, |
| 42 the preceding code won't work. |
| 43 </p> |
| 44 |
39 <p>If the extension attempts to use a security origin other than itself, | 45 <p>If the extension attempts to use a security origin other than itself, |
40 say http://www.google.com, | 46 say http://www.google.com, |
41 the browser disallows it | 47 the browser disallows it |
42 unless the extension has requested the appropriate cross-origin permissions. | 48 unless the extension has requested the appropriate cross-origin permissions. |
43 </p> | 49 </p> |
44 | 50 |
45 <h2 id="requesting-permission">Requesting cross-origin permissions</h2> | 51 <h2 id="requesting-permission">Requesting cross-origin permissions</h2> |
46 | 52 |
47 <p>By adding hosts or host match patterns (or both) to the | 53 <p>By adding hosts or host match patterns (or both) to the |
48 <a href="manifest.html#permissions">permissions</a> section of the | 54 <a href="manifest.html#permissions">permissions</a> section of the |
(...skipping 104 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
153 </pre> | 159 </pre> |
154 <p> | 160 <p> |
155 Additionally, be especially careful of resource retrieved via HTTP. If your | 161 Additionally, be especially careful of resource retrieved via HTTP. If your |
156 extension is used on a hostile network, an network attacker (aka a <a | 162 extension is used on a hostile network, an network attacker (aka a <a |
157 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"
</a>) | 163 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"
</a>) |
158 could modify the response and, potentially, attack your extension. Instead, | 164 could modify the response and, potentially, attack your extension. Instead, |
159 prefer HTTPS whenever possible. | 165 prefer HTTPS whenever possible. |
160 </p> | 166 </p> |
161 | 167 |
162 <!-- END AUTHORED CONTENT --> | 168 <!-- END AUTHORED CONTENT --> |
OLD | NEW |