Geek Answers Handbook

Origin header is present in non-GET requests in a Chrome app, even if the server URL is added in permissions

I am working on a chrome application that will communicate with the server through the RESTful API.

Without adding the server URL to the permissions in manifest.json, I see that Chrome sends all requests with the source header (chrome-extension: // cpndc ....), and if any of these requests has non-standard headers he also sends a request for OPTIONS options - that’s all as expected.

After adding a domain to permissions, preflight OPTIONS are no longer sent. The origin header is absent in GET calls, but it is still present in POST, PATCH, MERGE calls.

This causes problems, since the implementation of CORS on the server that I will use assumes that the requests with the source header are CORS requests and respond to error 403, since it does not look like the source - this origin with the chrome extension is not in the list of accepted origin .

According to the CORS specification, it is expected that the source header should be added only in the cross-domain request https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS#Origin , but since the server domain is added to the permissions, I would I expected that not only GET, but also other requests did not have it.

Q: is this a bug in the implementation of CORS in Chrome apps?

Summary of my results with Chrome apps:

If the endpoint URL is not added to the permissions in the manifest file (CORS will be enabled): - The Chrome application sends the source header in all types of requests - The Chrome application sends the OPTIONS preposition for all requests that have non-standard headers.

If the endpoint URL is added to the permissions in the manifest file (security for requests to this domain is disabled) - Chrome Apps no longer sends an OPTIONS preview (as expected) - The Chrome application sends the original header only for requests other than GET (not should send the source data in general)

Example permission file:

"permissions": [ "http://api.randomuser.me/*"

]

Example application code:

 window.onload = function() { function get(){ var xhr = new XMLHttpRequest(); xhr.open("GET", "http://api.randomuser.me/?seed=bigFish", true); xhr.setRequestHeader('Authn', 'abcdefghijklmnopqrstuvxyz'); xhr.onload = function (e) { if (xhr.readyState === 4) { if (xhr.status === 200) { console.log(xhr.responseText); } else { console.error(xhr.statusText); } post(); } }; xhr.onerror = function (e) { console.error(xhr.statusText); }; xhr.send(null); } function post() { var xhr = new XMLHttpRequest(); xhr.open('POST', 'http://api.randomuser.me/', true); xhr.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); xhr.setRequestHeader('Authn', 'abcdefghijklmnopqrstuvxyz'); xhr.onload = function () { // do something to response console.log(this.responseText); }; xhr.send('user=person&pwd=password&organization=place&requiredkey=key'); } document.getElementById('mybutton').addEventListener('click', function() { get(); });

};

GET request without source header: GET request without the origin header

POST request with source header: POST request with the origin header

+6
source share
1 answer

I just found a similar question in StackOverflow:

Chrome appends Origin header to same original request

and one of the answers pointed to the specification: rfc6454 # section-7.3:

http://tools.ietf.org/html/rfc6454#section-7.3

Accordingly, the user agent MAY include the Origin header field in any HTTP request.

This means that the source header should not be related to CORS.

+4
source

More articles:


All Articles