Chorme的xmlhttprequest调用
来源:互联网 发布:银龙裁决皮肤淘宝 编辑:程序博客网 时间:2024/05/10 18:34
Cross-Origin XMLHttpRequest
Regular web pages can use theXMLHttpRequestobject to send and receive data from remote servers,but they're limited by thesame origin policy.Extensions aren't so limited.An extension can talk to remote servers outside of its origin,as long as it first requests cross-origin permissions.
Note:Content scripts can't directly make cross-origin requests.However, a content script cansend a message to its parent extensionthat asks the extension to make a cross-origin request.For an example of this technique, see thecontentscript_xhr example.
Extension origin
Each running extension exists within its own separate security origin. Withoutrequesting additional privileges, the extension can useXMLHttpRequest to get resources within its installation. For example, ifan extension contains a JSON configuration file called config.json,in a config_resources folder, the extension can retrieve the file's contents likethis:
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = handleStateChange; // Implemented elsewhere.
xhr.open("GET", chrome.extension.getURL('/config_resources/config.json'), true);
xhr.send();
If the extension attempts to use a security origin other than itself,say http://www.google.com,the browser disallows itunless the extension has requested the appropriate cross-origin permissions.
Requesting cross-origin permissions
By adding hosts or host match patterns (or both) to thepermissions section of themanifest file, the extension can request access toremote servers outside of its origin.
{
"name": "My extension",
...
"permissions": [
"http://www.google.com/"
],
...
}Cross-origin permission values can be fully qualified host names,like these:
- "http://www.google.com/"
- "http://www.gmail.com/"
Or they can be match patterns, like these:
- "http://*.google.com/"
- "http://*/"
A match pattern of "http://*/" allows HTTP access to all reachable domains.Note that here,match patterns are similar to content scriptmatch patterns,but any path information following the host is ignored.
Also note that access is granted both by host and by scheme. If an extensionwants both secure and non-secure HTTP access to a given host or setof hosts, it must declare the permissions separately:
"permissions": [
"http://www.google.com/",
"https://www.google.com/"
]
Security considerations
When using resources retrieved via XMLHttpRequest, your background page shouldbe careful not to fall victim to cross-sitescripting. Specifically, avoid using dangerous APIs such as the below:
background.html
===============
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://api.example.com/data.json", true);
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
// WARNING! Might be evaluating an evil script!
var resp = eval("(" + xhr.responseText + ")");
...
}
}
xhr.send();
background.html
===============
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://api.example.com/data.json", true);
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
// WARNING! Might be injecting a malicious script!
document.getElementById("resp").innerHTML = xhr.responseText;
...
}
}
xhr.send();
Instead, prefer safer APIs that do not run scripts:
background.html
===============
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://api.example.com/data.json", true);
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
// JSON.parse does not evaluate the attacker's scripts.
var resp = JSON.parse(xhr.responseText);
}
}
xhr.send();
background.html
===============
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://api.example.com/data.json", true);
xhr.onreadystatechange = function() {
if (xhr.readyState == 4) {
// innerText does not let the attacker inject HTML elements.
document.getElementById("resp").innerText = xhr.responseText;
}
}
xhr.send();
Additionally, be especially careful of resource retrieved via HTTP. If yourextension is used on a hostile network, an network attacker (aka a "man-in-the-middle")could modify the response and, potentially, attack your extension. Instead,prefer HTTPS whenever possible.
- Chorme的xmlhttprequest调用
- 根据浏览器调用支持的XMLHTTPREQUEST
- xmlhttprequest 跨域调用的方法
- 异步调用XMLHttpRequest
- xmlHttpRequest调用webservice
- chorme如何设置独立的代理服务器
- Chorme书签无法同步的解决办法
- centos安装最新的 chromium 和 chorme
- Chorme dev tools的小技巧
- 《实战AJAX》中重构的xmlhttpRequest调用的使用方法
- 使用XMLHttprequest对象进行异步调用html页面的示例
- 使用XMLHttpRequest结合struts2实现Ajax异步调用的例子
- 调用JQuery.ajax时报错“[object XMLHttpRequest]”的问题
- AJAX设计模式 XMLHttpRequest调用
- Chorme 关联的文件图标没有了,如何修复
- 国庆之后准备研究下chorme base部分的线程
- 兼容chorme和Safari的javascript设…
- 部分浏览器(如chorme)缓存js的问题解决
- 在php中判断一个网页请求是ajax请求还是普通请求
- 动态加载流驱动
- 防软件多开的几种方法及实现代码!
- SQL SERVER BI 体系
- Vim 使用技巧
- Chorme的xmlhttprequest调用
- 图片上传
- ASP.NET中url传递中文的解决方案,传递参数为汉字时出现乱码等问题
- 程序人生
- C# 委托链使用
- 使用mallopt调整malloc/new行为
- vs2008启动vss2005的错误:File:vsee/pkgs/vssproviderstub/cvssproviderstubpackage.cpp
- JS_baidu地图实现
- 面试题目
