This demo shows how to make an AJAX request from within a script injected by a Chrome Extension. The extension, when
loaded, injects extension/inject.js
into the DOM, causing the script to be interpreted inside host's isolated scope.
When executed, the script overrides an existing function called hackMe()
, making it dispatch an AJAX request every
time it is called.
On the server side, an Express app is listening for connections, serving a static page whenever someone asks for /
and logging to stdout every time someone makes a request to /ajax
. The server also sends cross-origin headers back
to the client, so that when the extension is executed from another host's context, Chrome will not complain about
cross-origin security breaches (e.g., displaying the message No 'Access-Control-Allow-Origin' header is present on the
requested resource. Origin 'some-other-host' is therefore not allowed access.
As a note, I thought that the following configuration was needed in the manifest.json
file:
"permissions": [
"http://localhost:8888/"
],
It turns out it is not needed and the demo works fine without it. I guess that's because the AJAX request is happening from inside the page's context and not from the extension itself, but I have yet to confirm that is true.
Clone this repo. Go to server/
and run:
npm install
node server
And the server should be online.
The next step is to go to chrome://extensions and drag the extension
folder over it to
install the extension.
Finally, point Chrome to the server to load the sample page and then open the console to see the script in action. Also look at the server output to confirm that the AJAX requests are successful.