Using fetch in chrome extension doesn't include referer header and set origin as null in the request

[Jun 711]

Hi, 

I was planning to use origin and referer to determine if a request comes from my extension and optionally server the requests in my server.

However, I noticed that using fetch in background like the code below to send a cross-origin request,
i) the header would be set to null instead of chrome://**chrome-ext-id**. 
ii) there is no referer header being sent

In my manifest, I don't have <all_url> in the permission but I have my api url in the permission to enable cors request.

Regarding header being null, I have tried using xhr and it does send origin header. However, xhr doesn't send referer header as well. 

Related StackOverflow threads:
1) https://stackoverflow.com/questions/45222298/using-fetch-in-chrome-extension-sends-null-origin-header
2) https://stackoverflow.com/questions/53627310/using-fetch-in-chrome-extension-doesnt-include-referer-header-in-the-request

Questions:
1) Is that an expected behavior?
2) What identifiers can I use to identify requests coming from my extensions then? 

fetch(url, {
    method: 'POST',
    mode: 'cors',
    credentials: 'include',
    cache: 'no-cache',
    headers: { 
      'Content-Type': 'application/x-www-form-urlencoded',
    },
    referrer: 'client',
    referrerPolicy: 'origin',
    body: JSON.stringify({ params })
  })

[Francois Devatine]

If I understand correctly you have an extension and you have a website, and you want the website to know that the request comes from the extension?

I can think of a few ways:

- Add an extra parameter to the request URL, for example if the request is https://a-domain.com/something?param=abc, you could add https://a-domain.com/something?param=abc&extension=1 and on the server side, you simply check if such a parameter is in the request to determine if the user comes from the extension

- Using webRequest API, you could even add an additional HTTP header, example:

chrome.webRequest.onBeforeSendHeaders.addListener(function(details) {

    details.requestHeaders.push({"name": "extra-extension-header", "value": "my-extension"});

    return {requestHeaders: details.requestHeaders};

}, {urls: ["https://a-domain.com/*"]}, ["blocking", "requestHeaders"]);

Regards,

Francois

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/708d9c13-06ba-4c43-bea4-8f1280265fc6%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

[Jun 711]

Thank you, Francois.
An extension and a server. 
I want my server to only answer requests only from my extension. In other words, I don't want my api endpoint to be used by other apps or other websites.

Adding params won't do as anyone can add params and use the same params and thus defeat the purpose of using that as an identification. Similarly, using additional HTTP headers wouldn't achieve what I want. 

[Francois Devatine]

You may want to check the "externally_connectable" feature I think >> https://developer.chrome.com/apps/messaging

An extension can communicate with a website using this, and it could check for the extension ID to only talk to it. 

But keep in mind that the extension code is visible by everyone. Someone could just copy your extension code and create their own extension with the same logic.

It will be add to add anything secure by using extension capabilities or APIs.

You would need maybe a real authentication on your website, storing a cookie, etc...

// Francois

[Jun 711]

Thank you, Francois. I don't have a website though. 

[PhistucK]

You can search crbug.com for an existing issue and star it. If you cannot find one, file a new issue using the "New issue" link on the same page.

Please, do not add a "+1" or "Me too" or "Confirmed" (or similar) comment. It just wastes the time of Chrome engineers and sends unnecessary e-mails to all of the people who starred the issue.

You can reply with a link to the found or created issue and might get triaged (and fixed) faster.

Thank you.

☆PhistucK

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAAdKuww7D1MKyYD2KwG_BQNPZRZV2_kXE2KGVm8WHx_OrRWN_A%40mail.gmail.com.