I'm trying to make a Chrome extension that dumps some details from Pull Requests on Github using the Fetch API and then displays them elsewhere. I encounter some problems when I try to use this with a non-public repository on Github. I believe this is due to CSRF protection and the rules governing Chrome extensions that have access to session cookies.
My manifest.json extension has the following:
"content_scripts": [{ "matches": [ "*://github.com/*/*/pulls" ], "js": ["script/underscore-1.8.3.min.js", "script/content.js"] }], "permissions": [ "tabs", "activeTab", "*://github.com/*", "webNavigation" ]
But when I run the following from my script/content.js :
fetch('/redacted/redacted/pull/4549', {credentials: 'same-origin'}).then((response) => { return response.text(); }).then((text) => { // do cool stuff })
This gives a 404 response from Github. By checking this request on the Chrome Inspectorโs network tab, I see that it is not sending my GitHub session header with the request.
If I make the same request using the Javascript prompt in the Inspector, I can see the 200 response, and I see that it sends session cookies.
My understanding was that specifying the Github domain in my manifest.json would mean that my extension would have access to my session data in my content scripts, right? What should I do to make a valid request for this protected content?
source share