It looks like the inconsistent behavior isn't just linked to ports, it appears to be the case for other domains as well. I can successfully send an XHR to a domain not listed in the permissions file. Chrome will 'swallow' the response, but this still allows information to leak to other domains. Is this by design?
I will update the bug with this info. Chris On Tue, Jan 12, 2010 at 11:06 PM, Aaron Boodman <a...@google.com> wrote: > I've confirmed that this is a bug. We shouldn't be allowing ports in > http permissions in the first place. > > I've filed this bug: http://crbug.com/32160 > > You can "star" it to follow progress. > > - a > > On Sun, Jan 10, 2010 at 8:14 PM, Chris Killpack <killp...@gmail.com> > wrote: > > Chromium: 4.0.249.43 > > OS: Ubuntu 8.04 x86-64 > > > > From my experiences over the last couple of days it appears that > > Chrome has inconsistent enforcement of ports in the extensions > > permissions set that leads to a lot of frustration. > > > > In my case I had included "http://localhost:8080/*"; in the permissions > > set because my extension needs to talk to a local server. The problem > > I encountered is that Chrome will let the xhr connect to the server, > > but then 'reject' the response from the server. By reject, I mean: > > > > xhr.readyState = 4 > > xhr.status = 0 > > xhr.responseText = null. > > > > Once I removed the port number from my permissions entry, Chrome > > allowed the response through. > > > > This inconsistency implied that my server was not setting HTML > > response codes correctly, so I spent a while digging through that. To > > make matters worse, the same xhr code was working absolutely fine with > > other servers out on the net (that I had included in the permissions > > set). > > > > I'm not familiar with the XHR security architecture so I cannot > > comment if this is expected behavior or not. But at the least it seems > > inconsistent. Can I ask that the relevant documentation, > > http://code.google.com/chrome/extensions/xhr.html and > > http://code.google.com/chrome/extensions/match_patterns.html please be > > updated to discuss this behavior? > > > > Thanks! > > > > Chris > > > > -- > > You received this message because you are subscribed to the Google Groups > "Chromium-extensions" group. > > To post to this group, send email to > chromium-extensi...@googlegroups.com. > > To unsubscribe from this group, send email to > chromium-extensions+unsubscr...@googlegroups.com<chromium-extensions%2bunsubscr...@googlegroups.com> > . > > For more options, visit this group at > http://groups.google.com/group/chromium-extensions?hl=en. > > > > > > > > >--
You received this message because you are subscribed to the Google Groups "Chromium-extensions" group.
To post to this group, send email to chromium-extensi...@googlegroups.com.
To unsubscribe from this group, send email to chromium-extensions+unsubscr...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/chromium-extensions?hl=en.
