How to download from a chrome extension without CORS and CORB?

M

med1um2021-03-16 23:29:57

Browser extensions

med1um, 2021-03-16 23:29:57

I am writing an extension that parses the site. For example, let's take Avito.
There is only one function in the background.js script:

setInterval(() => {
  var str = '';
  var request = new XMLHttpRequest();
  request.open('GET', 'https://www.avito.ru/vladimir/vakansii/it_internet_telekom-ASgBAgICAUSOC_SdAQ?cd=1', false);
  request.send();
  if (request.status === 200) {
    str = request.responseText.substring(0,11);
  }
  chrome.runtime.sendMessage(str);
}, 15000);

, which should download the html content of the page (and then another script is already parsing),
but background.js does not download - and it gives an error:

Tell me what needs to be done? Server headers cannot be changed.

manifest.json now has the following content:

{
  "description": "test1",
  "manifest_version": 2,
  "name": "test1",
  "version": "1.0",
  "icons": {
    "16": "icons/icon16.png",
    "32": "icons/icon32.png"
  },
  "browser_action": {
    "default_icon": {
      "16": "icons/icon16.png",
      "32": "icons/icon32.png"
    },
    "default_popup": "popup.html"
  },
  "background": {
    "scripts": [
      "background.js"
    ]
  }
}

Maybe in manifest.json you need to register content_security_policy?
Tell me, is it possible to upload data from other domains without CORS using extensions?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

A

Alex, 2021-03-16
@Kozack

Try to add in the permissions field
https://www.avito.ru/*

N

Nadim Zakirov, 2021-03-17
@zkrvndm

Sample code for background.js - to correct response headers and bypass CORS :

// Обработчик для правки заголовков ответа:

chrome.webRequest.onHeadersReceived.addListener(

    function(info) {
  
    var headers = info.responseHeaders; // Получаем массив отсылаемых заголовков
    
    // Обходим массив полученных заголовков:
    
    for (var i=headers.length-1; i>=0; --i) {
      
      var header = headers[i].name.toLowerCase(); // Считываем название того или иного заголовка
      
      // При наличии совпадений, удаляем заголовок нахрен:
      
      if (header == 'content-security-policy' || header == 'access-control-allow-origin') { 
        headers.splice(i, 1);
      }
      
    }
    
    // Добавляем свой собственный разрешающий заголовок:
    headers.push({name: 'Access-Control-Allow-Origin', value: '*'});
    
    return {responseHeaders: headers}; // Вовращаем почищенный массив заголовков назад
    
    },
  
    { urls: [ '<all_urls>' ], types: [ 'xmlhttprequest' ] },
  
    ['blocking', 'responseHeaders']
  
);

In this case, you must have permissions in the extension manifest:

...
"permissions" : [ "webRequest", "webRequestBlocking", "<all_urls>" ],
"background" : { "persistent": true, "scripts": [ "background.js" ] },
...