search

imrexhuang / chrome-rest-client

Automatically exported from code.google.com/p/chrome-rest-client
0 stars 0 forks source link

Chrome is blocking many common headers for security reasons - no way to turn off blocking. #241

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
What steps will reproduce the problem?
1. Enter any of the following headers and attempt to submit the request from 
the extension and they are removed/blocked:

Accept-Charset
Accept-Encoding
Access-Control-Request-Headers
Access-Control-Request-Method
Connection
Content-Length
Cookie
Cookie 2
Content-Transfer-Encoding
Date
Expect
Host
Keep-Alive
Origin
Referer
TE
Trailer
Transfer-Encoding
Upgrade
User-Agent
Via

What is the expected output? What do you see instead?
The request should allow passage of the headers to the requested site. Several 
of these are needed for certain types of testing (for example CORS testing).  
There should be a way to disable the chrome security for certain 
domains/extensions or a setting within the extension to circumvent the blocking 
for testing.  

On what operating system, browser and browser version?
Windows 8.1, Chrome v33.0.1750.154 m

Please provide any additional information below.

I tried editing the manifest.json "permissions" section for the extension to 
allow cross origin requests to "http://*/" but it does not seem to allow the 
use of the headers with the changes - i.e. they are still blocked.  Since the 
whole point of the tool is to test calls against a REST endpoint, it severely 
limits the usefulness of the tool.

Original issue reported on code.google.com by epicor.e...@gmail.com on 26 Mar 2014 at 4:34

GoogleCodeExporter commented 9 years ago 
Also, I noticed it blocking "Access-Control-*" headers and found the remainder 
of the header list from a similar issue reported on the PostMan Extension.

Original comment by epicor.e...@gmail.com on 26 Mar 2014 at 4:37

GoogleCodeExporter commented 9 years ago 
It is nothing I can do right now with it. Even if the app have full host 
permissions it doesn't mean that the XMLHttpRequest will use those headers. 
It's prohibited by spec and there is no workaround. 
I'm working on new implementation where the app will use sockets API to make a 
request. But it is long shot and require a lot of work to do (handle HTTP 
request isn't easy). For current version (meaning legacy chrome app) it is 
impossible so I must close this issue.

Original comment by jarro...@gmail.com on 26 Mar 2014 at 11:11