Webview injected javascript got blocked XHR on a HTTPS site

247 views
Skip to first unread message

Shih Sheen

unread,
Jun 29, 2015, 4:09:26 AM6/29/15
to chromi...@chromium.org
Hello,

I have a webview within my packaged app.

And there is a javascript file that I injected into every page once the webview load a website.

The javascript will make a XHR POST to my local http server(established in my packaged app).

But when the webview navigates to a HTTPS site, the XHR was blocked :

Mixed Content: The page at 'https://vimeo.com/' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://127.0.0.1:7469/service. This request has been blocked; the content must be served over HTTPS.

I've already set this in my manifest.json : "permissions": ["<all_urls>"]

And not working.

My local Http server always send a response to a XHR with header:
      HTTP/1.0 200 OK
      Access-Control-Allow-Origin: *
      Access-Control-Allow-Methods: POST, GET, OPTIONS
      Access-Control-Allow-Headers: origin, content-type, accept

But the webview just block the XHR since I never get a request or a connection from the HTTPS website.

As I know, the XHR was rejected by the target HTTP server if the server not allowing a cross-origin request.

Is there any way to avoid the webview blocking my XHR of my javascript?

Thank you

Takeshi Yoshino

unread,
Jun 29, 2015, 4:26:17 AM6/29/15
to Shih Sheen, Mike West, Chromium Apps
+mkwst

"permissions" in the manifest.json makes the specified URLs handled as the same origin. It doesn't have any effect on the mixed content checking ( https://w3c.github.io/webappsec/specs/mixedcontent/ ). It's a different security feature than the CORS.

Takeshi

--
You received this message because you are subscribed to the Google Groups "Chromium Apps" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-app...@chromium.org.
To post to this group, send email to chromi...@chromium.org.
Visit this group at http://groups.google.com/a/chromium.org/group/chromium-apps/.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

Shih Sheen

unread,
Jun 29, 2015, 5:15:04 AM6/29/15
to chromi...@chromium.org, cam....@gmail.com, mk...@google.com
Thank you, Takeshi.

So , how should I do to make the webview send a XHR from https site to my http server?

Or the <webview> in chrome app doesn't support CORS?

Takeshi Yoshino於 2015年6月29日星期一 UTC+8下午4時26分17秒寫道:

Takeshi Yoshino

unread,
Jul 2, 2015, 9:48:54 AM7/2/15
to Shih Sheen, Chromium Apps, Mike West
I guess currently there's no way to exclude your XHR from the mixed content checking without specifying some frag. Mike should know more about that.

It's not about CORS. Mixed content checking is rejecting your XHR before proceeding to CORS algorithm.

Shih Sheen

unread,
Jul 2, 2015, 10:14:41 PM7/2/15
to chromi...@chromium.org, mk...@google.com, cam....@gmail.com
Thank you Takeshi.

I found that my http server not even getting a socket connection to proceeding CORS from the webview.

It seems that the <webview> just block it all the way on "Mixed Context XHR".

It's ok for other kinds of mixed content resource request, just show up a warning message.

Takeshi Yoshino於 2015年7月2日星期四 UTC+8下午9時48分54秒寫道:
Reply all
Reply to author
Forward
0 new messages