Chrome扩展名为本地主机的XHR永远不会到来？

Question

I am trying to write a chrome extension, and this is the first time I have needed to POST to a server with one. If I fire a request in Postman to my local server at https://localhost:80/savelink I get a 200 and the server behaves accordingly. However, when I try to fire a request from the chrome extension, the server behavior is never triggered. The request is as follows (only slightly modified from the example):

chrome.tabs.query(queryInfo, function(tabs) {
        var tab = tabs[0];

        var url = tab.url;


        console.assert(typeof url == 'string', 'tab.url should be a string');
        var request = new XMLHttpRequest();

        request.open("POST", 'https://localhost:80/savelink', true);
        request.setRequestHeader("Content-Type", "application/json;charset=UTF-8");
        request.send({ tab_url: url });
        console.log("HIT");
    });

My manifest.json permissions look like this (can you tell I am pulling my hair?):

"permissions": [
"activeTab",
    "https://localhost/*",
    "https://*/",
    "http://*/"
  ]

and relevant parts of my server look like:

app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  next();
});

app.post('/savelink', function(req, res) {
    console.log(req.body);  // this log is never triggered when the route is hit through chrome
    res.sendStatus(200);
});

I am running Chrome Canary with the --disable-web-security flag set. I am still getting an insecure response on the client side, but I think that is probably irrelevant.

Answer 1

Okay, I figured it out, thank you to the commenters, you were all pretty much on the right path. I did have to run open -a "Google Chrome Canary" --args --user-data-dir --disable-web-security , but on top of that, any change made to the server relaunches it (which I blanked on). That means that in order to get my calls to work, I need to navigate to a route on my server, load it, accept the warning, and then open my extension and send my POST . Change the extension means I have to do that + reload the extension. Sorry to everyone I responded to, y'all were right, I missed some steps.