如何避免 Chrome 扩展中的“虚假”AJAX 请求

Question

I am writing a small Chrome extension, and my question mostly about the algorithms. Suppose, my extension should send some AJAX requests to my server. Is there any way to be sure that this particular AJAX request was received exactly from my extension? I mean, make sure that this is not the user sent this request by falsifying it. I will be grateful for any ideas.

Answer 1

You need to check request origin on your server which must contain your extension ID. When you send AJAX request from your extension the Origin parameter will be like this

chrome-extension://<extension_id> 

Now on server you need to check this origin. Example in php

$extensionID = "YOUR_EXTENSION_ID";
$origin = $_SERVER['HTTP_ORIGIN'];
if (strpos($origin, $extensionID) === false) {
// exit from code 
 exit();
}

Here is complete anwser how to find origin from request. Now your server will receive AJAX request only from your extension. If someone copy your code and run from another extension, your server will not handle that request.

Note that this will protect you from falsifying requests from other extensions. User still can open your extension background page and send AJAX request from console.