科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>javascript - Chrome extension AJAX request without Origin header - Stack Overflow

    javascript - Chrome extension AJAX request without Origin header - Stack Overflow

    programmeradmin1浏览0评论

    This is what an AJAX request made with jQuery from a Chrome extension looks like (print_r() in php)

    Array
(
    [HTTP_HOST] => 127.0.0.1
    [HTTP_CONNECTION] => keep-alive
    [CONTENT_LENGTH] => 0
    [HTTP_ACCEPT] => */*
    [HTTP_ORIGIN] => chrome-extension://apdckddecfflophongckfbabbjhnjbph
    [HTTP_USER_AGENT] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.123 Safari/537.36
..

    How can I remove the Origin header from an AJAX request before it leaves the browser?

    This is what an AJAX request made with jQuery from a Chrome extension looks like (print_r() in php)

    Array
(
    [HTTP_HOST] => 127.0.0.1
    [HTTP_CONNECTION] => keep-alive
    [CONTENT_LENGTH] => 0
    [HTTP_ACCEPT] => */*
    [HTTP_ORIGIN] => chrome-extension://apdckddecfflophongckfbabbjhnjbph
    [HTTP_USER_AGENT] => Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.123 Safari/537.36
..

    How can I remove the Origin header from an AJAX request before it leaves the browser?

    • javascript
    • ajax
    • google-chrome
    • google-chrome-extension
    Share Improve this question asked Mar 23, 2014 at 23:32 f.ardelianf.ardelian 6,9868 gold badges40 silver badges54 bronze badges 1
    • I forgot to mention, I am making these requests from a background script. – f.ardelian Commented Mar 24, 2014 at 0:20
    Add a ment  | 

    2 Answers 2

    Reset to default 7

    Just add the website to the permissions section of your manifest file (see match patterns for the valid formats). Then the request will be treated as if it was sent from the same origin as the website, and the "Origin" request header will not be added.

    {
    ...
    "permissions": [
        "*://example./*"
    ]
}

    (without this permission, Chrome will still try to fetch the resource using CORS, causing the "Origin" header to be added. Such requests will only succeed if the server replies with an Access-Control-Allow-Origin header that is either a wildcard (*) or matches the requester's origin.)

    The origin header is added by browser automatically, and can't be controlled by user. It is a web principal which determine the origin of a piece of content from the URI. CORS also uses this header to determine if this cross-domain request could be accpeted or rejected.

    Origin header always be added in cross-origin request, some same-origin request might include it as well. For example, Chrome and Safari will include the origin header on same-origin POST/PUT/DELETE request, it depends on browser implementation.

    Unfortunately, I think there is no way to remove this header.

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论