Comment #11 on issue 20624 by [email protected]: Extension background page xhr.setRequestHeader will send HTTP OPTIONS verb http://code.google.com/p/chromium/issues/detail?id=20624
This OPTIONS request is coming from CORS (http://www.w3.org/TR/access-control/) -- specifically the preflight section (http://www.w3.org/TR/access-control/#preflight- request0). You should see the same thing if you make the same request from a normal webpage instead of an extension. It isn't a security flaw; it's supposed to work that way. The desired behavior is: 1) If the request is to the extension's own origin, allow it 2) If the request is to an origin that is whitelisted in the extension's manifest using the permissions property, allow it 3) Otherwise, use CORS (which may result in this OPTIONS request, depending on headers) ninja: When you filed this bug, did you have the origin you were trying to reach in the permissions section of your manifest? http://code.google.com/chrome/extensions/manifest.html#permissions If not, this bug is invalid. Sorry for not realizing this earlier. -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings -- Automated mail from issue updates at http://crbug.com/ Subscription options: http://groups.google.com/group/chromium-bugs
