8

I'm trying to manually set an origin in an ajax request header. In my background.js, I have this 

var ajaxResponse;
$.ajax({
    type:'POST',
    url:'www.somewebsite.com/login/login.asp',
    headers:{
            'origin': 'https://www.somewebsite.com'
    },
    success: function(response){
        ajaxResponse = response;
    }
});

As you can see, the origin is changed. But when this Chrome extension get executed, the origin gets override to chrome-extension://iphajdjhoofhlpldiilkujgommcolacc and the console gives error 'Refused to set unsafe header "origin"'

I've followed Chrome API (http://developer.chrome.com/extensions/xhr.html), and already set the permission as follows

"permissions": [
     "https://www.somewebsite.com/*"
 ],

Does anyone know how to properly set the origin in header? Thanks!

Maria
  • 3,455
  • 7
  • 34
  • 47
  • You can't. Why are you trying to change the origin? – abraham Jan 01 '14 at 03:41
  • @abraham, we should be able to. In Chrome Extension API it says 'Regular web pages can use the XMLHttpRequest object to send and receive data from remote servers, but they're limited by the same origin policy. Extensions aren't so limited. An extension can talk to remote servers outside of its origin, as long as it first requests cross-origin permissions.' (http://developer.chrome.com/extensions/xhr.html) – Maria Jan 01 '14 at 13:27
  • That is correct that extensions are not restricted to by cross-origin but you don't do that by changing the origin. You just make the XHR request and Chrome won't block it. – abraham Jan 01 '14 at 16:12

1 Answers1

6

You probably misinterpreted the docs:
the extension can request access to remote servers outside of its origin

This means that the extension can send the request to the remote servers (i.e. the browser itself will not block the request as would happen with a normal web-page's JS).
This does not mean that the extension will be allowed to send arbitrary headers along with the request nor that the remote server will respond to the request.

So, if the remote server, requires a specific value for the Origin header, then there is nothing you can do, since according to the specs you are not allowed to set the Origin header (and this limitation also holds for extensions).

gkalpak
  • 47,844
  • 8
  • 105
  • 118
  • would it be possible to use some kind of proxys, may be use the likes of curl, burp suite etc to change the Origin header?read about such a possibility somewhere. – anwith.ct Jan 06 '14 at 07:58
  • Sure. You could use several server-side libs to achieve what you want (but you need a server (or a service that offers that functionality)). – gkalpak Jan 06 '14 at 08:09