Geek Answers Handbook

What are the restrictions on AJAX requests in Chrome apps?

I am planning a Chrome app project where I will make numerous AJAX calls. Before installing Chrome Apps as a platform, Iā€™d like to better understand its limitations and benefits with respect to AJAX calls compared to web applications. After doing some research, I came up with the answers below. Since I have limited experience in this area, I would like to know if my conclusions are correct and if there are other limitations that should be considered.

1. Origin

Origin restrictions are more flexible for Chrome applications than for web applications: policies of the same origin related to AJAX requests can be relaxed in applications by requesting cross-origin permissions . Therefore, there is no need for methods such as Cross Resource Resource (CORS) and JSONP (which is actually prohibited by Content Security Policy (CSP)).

2. Content

The restrictions on available content are more serious: Chrome Apps can only refer to scripts, style sheets, images, frames, plugins and fonts in the application, but media resources (video, audio and related text tracks) can be downloaded from any external resource. The 'connect-src' directive is configured to allow the loading of any URI, so given cross-origin permissions or using CORS, you can make AJAX calls on all hosts and receive text and media responses. Other types of content can be used as blobs. CSP cannot relax.

(Feature I discovered: CSP prohibits the downloading of several types of content, so you have to download them as drops via AJAX requests. As a result of a policy of the same origin, this should be done through CORS. Most servers do not support CORS, even if their content is Therefore, if Chrome Apps continually uses Access-Control-Allow-Origin (ACAO) response headers, the CORS approach will fail in many cases, a solution to cross-origin permissions: if access server authorization was granted, even if the appropriate heading ACAO is not received, the request is passed, but you can also rely on the CORS:. if the cross-origin permission is not granted, but the query is executed on the server with the settings ACAO substitution , he also skipped).

Two additional notes:

  • Some documents for Chrome Apps use extensions, not Programs. In these cases, I assume that the information provided there is correct for applications too.
  • XHR synchronous requests are disabled.
+6
source share
1 answer

Unfortunately, you just need to check it all out. I found that Google docs (especially with Chrome apps) are sorely lacking and often wrong. Looking through documents, it seems that they wrote them for extensions, copied all the documents, and then, when they encountered a difference, they changed the documents, but did not cover everything.

Regarding access to external sources, follow these "instructions": http://developer.chrome.com/apps/app_external.html#external

And if you find a problem, report it here and https://code.google.com/p/chromium/issues/list

0
source

More articles:


All Articles