,Īdditionally, be especially careful of resources retrieved via HTTP. To request access to remote servers outside an extension's origin, add hosts, match patterns, or both to the host_permissions section of the manifest file. If the extension attempts to use a security origin other than itself, say, the browser disallows it unless the extension has requested the appropriate cross-origin permissions. For example, if an extension contains a JSON configuration file called config.json, in a config_resources/ folder, the extension can retrieve the file's contents like this: const response = await fetch ( '/config_resources/config.json' ) Ĭonst jsonData = await response. Without requesting additional privileges, the extension can call fetch() to get resources within its installation. # Extension originĮach running extension exists within its own separate security origin. A script executing in an extension service worker or foreground tab can talk to remote servers outside of its origin, as long as the extension requests cross-origin permissions. (Content scripts have been subject to CORB since Chrome 73 and CORS since Chrome 83.) Extension origins aren't so limited. Content scripts initiate requests on behalf of the web origin that the content script has been injected into and therefore content scripts are also subject to the same origin policy. Regular web pages can use the fetch() or XMLHttpRequest APIs to send and receive data from remote servers, but they're limited by the same origin policy.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |