Cross-domain XMLHttpRequest using background pages

by

You don’t have to mess with iframes. It’s possible to perform cross-domain XMLHttpRequests, using background pages. Since Chrome 13, cross-site requests can be made from the content script. However, requests can still fail if the page is served with a Content Security Policy header with a restricting connect-src.

Another reason for choosing the nexy method over content scripts is that requests to http sites will cause a mixed content warning (“The page at https://… displayed insecure content from http://…”).

Yet another reason for delegating the request to the background page is when you want to get a resource from the file://, because a content script cannot read from file:, unless it is running on a page at the file:// scheme.

Note
To enable cross-origin requests, you have to explicitly grant permissions to your extension using the permissions array in your manifest file.

Cross-site request using background script.

The content script would request the functionality from the background via the messaging API. Here is an example of a very simple way of sending and getting the response of a request.

chrome.runtime.sendMessage({
    method: 'POST',
    action: 'xhttp',
    url: 'http://www.stackoverflow.com/search',
    data: 'q=something'
}, function(responseText) {
    alert(responseText);
    /*Callback function to deal with the response*/
});

Background / event page:

/**
 * Possible parameters for request:
 *  action: "xhttp" for a cross-origin HTTP request
 *  method: Default "GET"
 *  url   : required, but not validated
 *  data  : data to send in a POST request
 *
 * The callback function is called upon completion of the request */
chrome.runtime.onMessage.addListener(function(request, sender, callback) {
    if (request.action == "xhttp") {
        var xhttp = new XMLHttpRequest();
        var method = request.method ? request.method.toUpperCase() : 'GET';

        xhttp.onload = function() {
            callback(xhttp.responseText);
        };
        xhttp.onerror = function() {
            // Do whatever you want on error. Don't forget to invoke the
            // callback to clean up the communication port.
            callback();
        };
        xhttp.open(method, request.url, true);
        if (method == 'POST') {
            xhttp.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
        }
        xhttp.send(request.data);
        return true; // prevents the callback from being called too early on return
    }
});

Remark: The messaging APIs have been renamed several times. If your target browser is not the latest Chrome version, check out this answer.

For completeness, here’s a manifest file to try out my demo:

{
    "name": "X-domain test",
    "manifest_version": 2,
    "permissions": [
        "http://www.stackoverflow.com/search*"
    ],
    "content_scripts": {
        "js": ["contentscript.js"],
        "matches": ["http://www.example.com/*"]
    },
    "background": {
        "scripts": ["background.js"],
        "persistent": false
    }
}

More Related Contents:

  1. Persistent Service Worker in Chrome Extension
  2. “Origin null is not allowed by Access-Control-Allow-Origin” in Chrome. Why? [duplicate]
  3. How do I send an HTTP GET request from a Chrome extension?
  4. Cross-Origin XMLHttpRequest in chrome extensions
  5. How do I send an HTTP request from a Chrome extension?
  6. Origin is not allowed by Access-Control-Allow-Origin
  7. How to wait until an element exists?
  8. How to make cross domain request [duplicate]
  9. Since v38, Chrome extension cannot load from HTTP URLs anymore, workaround?
  10. How to use jQuery in chrome extension?
  11. Chrome extension: How to save a file on disk
  12. Executing code at page-level from Background.js and returning the value
  13. Chrome Extension: Make it run every page load
  14. Checkbox Check Event Listener
  15. saving and retrieving from chrome.storage.sync
  16. Completely lost on how to save extension popup window content
  17. Is there a way to uniquely identify an iframe that the content script runs in for my Chrome extension?
  18. How to make side panel in chrome extension?
  19. Facebook: Unsafe JavaScript issue (document.domain values should be same)
  20. google chrome extension :: console.log() from background page?
  21. Can I prevent an alert() with a Google Chrome Extension
  22. Sending message to background script
  23. Javascript: Let user select an HTML element like Firebug?
  24. Prevent window.open from focusing
  25. Associate a custom user agent to a specific Google Chrome page/tab
  26. How to clear chrome.storage.local and chrome.storage.sync?
  27. iframe not reading cookies in Chrome
  28. Can a website block a Chrome Extension? [duplicate]
  29. XmlHttpRequest.responseText while loading (readyState==3) in Chrome
  30. Where are cookies saved for a local HTML file?

Leave a Comment