| OLD | NEW |
|---|
| 1 <div id="pageData-name" class="pageData">Cross-Origin XMLHttpRequest</div> | 1 <div id="pageData-name" class="pageData">Cross-Origin XMLHttpRequest</div> |
| 2 | 2 |
| 3 <!-- BEGIN AUTHORED CONTENT --> | 3 <!-- BEGIN AUTHORED CONTENT --> |
| 4 <p id="classSummary"> | 4 <p id="classSummary"> |
| 5 Regular web pages can use the | 5 Regular web pages can use the |
| 6 <a href="http://www.w3.org/TR/XMLHttpRequest/">XMLHttpRequest</a> | 6 <a href="http://www.w3.org/TR/XMLHttpRequest/">XMLHttpRequest</a> |
| 7 object to send and receive data from remote servers, | 7 object to send and receive data from remote servers, |
| 8 but they're limited by the | 8 but they're limited by the |
| 9 <a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin policy</a>
. | 9 <a href="http://en.wikipedia.org/wiki/Same_origin_policy">same origin policy</a>
. |
| 10 Extensions aren't so limited. | 10 Extensions aren't so limited. |
| 11 An extension can talk to remote servers outside of its origin, | 11 An extension can talk to remote servers outside of its origin, |
| 12 as long as it first requests cross-origin permissions.</p> | 12 as long as it first requests cross-origin permissions.</p> |
| 13 | 13 |
| 14 <p class="note"> | |
| 15 <b>Version note:</b> | |
| 16 As of Chrome 13, | |
| 17 content scripts can make cross-origin requests | |
| 18 to the same servers as the rest of the extension. | |
| 19 Before Chrome 13, a content script couldn't directly make requests; | |
| 20 instead, it had to | |
| 21 send a message to its parent extension | |
| 22 asking the extension to make a cross-origin request. | |
| 23 </p> | |
| 24 | |
| 25 <h2 id="extension-origin">Extension origin</h2> | 14 <h2 id="extension-origin">Extension origin</h2> |
| 26 <p>Each running extension exists within its own separate security origin. Withou
t | 15 <p>Each running extension exists within its own separate security origin. Withou
t |
| 27 requesting additional privileges, the extension can use | 16 requesting additional privileges, the extension can use |
| 28 XMLHttpRequest to get resources within its installation. For example, if | 17 XMLHttpRequest to get resources within its installation. For example, if |
| 29 an extension contains a JSON configuration file called <code>config.json</code>, | 18 an extension contains a JSON configuration file called <code>config.json</code>, |
| 30 in a <code>config_resources</code> folder, the extension can retrieve the file's
contents like | 19 in a <code>config_resources</code> folder, the extension can retrieve the file's
contents like |
| 31 this:</p> | 20 this:</p> |
| 32 | 21 |
| 33 <pre> | 22 <pre> |
| 34 var xhr = new XMLHttpRequest(); | 23 var xhr = new XMLHttpRequest(); |
| (...skipping 119 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 154 </pre> | 143 </pre> |
| 155 <p> | 144 <p> |
| 156 Additionally, be especially careful of resources retrieved via HTTP. If your | 145 Additionally, be especially careful of resources retrieved via HTTP. If your |
| 157 extension is used on a hostile network, an network attacker (aka a <a | 146 extension is used on a hostile network, an network attacker (aka a <a |
| 158 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"
</a>) | 147 href="http://en.wikipedia.org/wiki/Man-in-the-middle_attack">"man-in-the-middle"
</a>) |
| 159 could modify the response and, potentially, attack your extension. Instead, | 148 could modify the response and, potentially, attack your extension. Instead, |
| 160 prefer HTTPS whenever possible. | 149 prefer HTTPS whenever possible. |
| 161 </p> | 150 </p> |
| 162 | 151 |
| 163 <!-- END AUTHORED CONTENT --> | 152 <!-- END AUTHORED CONTENT --> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 10826261:
Extension Docs: Remove out dated version notes. (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src