I am planning a Chrome App project where I will be performing numerous AJAX calls. Before settling on Chrome Apps as platform of choice, I would like to have a better understanding of its limitations and advantages regarding AJAX calls compared to web apps. Having conducted some research, I came up with the answers below. Since I have limited experience in this area, I would like to know if my findings are correct and if there are other limitations that should be considered.

我正在计划一个Chrome应用项目，在那里我将执行大量的AJAX调用。在确定Chrome应用作为首选平台之前，我希望更好地了解AJAX调用相对于web应用的局限性和优势。在做了一些调查之后，我得出了下面的答案。由于我在这方面的经验有限，我想知道我的发现是否正确，以及是否还有其他需要考虑的限制。

1. Origin

1。起源

Limitations regarding origins are more flexible for Chrome Apps than for web apps: The same-origin policy related to AJAX requests can be relaxed in the app’s manifest by requesting cross-origin permissions. Therefore, there is no need for techniques like Cross-Origin Resource Sharing (CORS) and JSONP (which is in fact prohibited by the Content Security Policy (CSP)).

与web应用程序相比，Chrome应用程序对起源的限制更为灵活:与AJAX请求相关的同源策略可以通过请求跨源权限在应用程序的清单中得到放松。因此，不需要跨源资源共享(CORS)和JSONP(事实上内容安全策略(CSP)禁止使用这些技术)等技术。

2. Content

2。内容

Limitations regarding accessible content are more severe: Chrome Apps can only refer to scripts, stylesheets, images, frames, plugins and fonts within the app, but media resources (video, audio, and associated text tracks) can be loaded from any external resource. The ‘connect-src’ directive is set to allow for loading any URI, so given cross-origin permissions or using CORS, one can make AJAX calls to all hosts and receive text and media type responses. Other content types can be served as blobs. The CSP can not be relaxed.

对可访问内容的限制更为严重:Chrome应用程序只能在应用程序中引用脚本、样式表、图像、框架、插件和字体，但是媒体资源(视频、音频和相关的文本跟踪)可以从任何外部资源中加载。“connect-src”指令被设置为允许加载任何URI，因此，给定跨源权限或使用CORS，可以对所有主机进行AJAX调用，并接收文本和媒体类型响应。其他内容类型可以充当blob。CSP不能放松。

(A peculiarity I found: As stated, CSP forbids loading several content types, therefore one has to load them as blobs via AJAX requests. As a result of the same-origin policy, this would have to be done via CORS. Most servers don’t have CORS enabled, even if their content is public. Therefore, if Chrome Apps enforced ‘Access-Control-Allow-Origin’ (ACAO) response headers at all times, the CORS approach would fail in a lot of cases. The solution to this problem is cross-origin permissions: If a permission was given to access a server, even if no appropriate ACAO header is received, the request is let through. But one can rely on CORS alone too: If no cross-origin permission is granted, but the request is made to a server with wildcard ACAO settings, it is also let through.)

(我发现了一个特性:如前所述，CSP禁止加载多个内容类型，因此必须通过AJAX请求将它们作为blob加载。由于同源策略，这必须通过CORS完成。大多数服务器没有启用CORS，即使它们的内容是公共的。因此，如果Chrome应用程序一直强制执行“访问控制允许来源”(ACAO)响应头，那么CORS方法在很多情况下都会失败。这个问题的解决方案是跨源权限:如果授予访问服务器的权限，即使没有收到适当的ACAO报头，请求也被允许通过。但是，我们也可以仅依靠CORS:如果没有跨源权限被授予，但是请求是由具有通配符ACAO设置的服务器发出的，那么它也会被允许通过。

Two additional things to note:

需要注意的另外两件事:

• Some documentation of Chrome Apps refers to extensions instead of apps. In these cases I assume that the information provided there is correct for apps too.
• 一些关于Chrome应用的文档提到的是扩展而不是应用。在这些情况下，我假设这里提供的信息也适用于应用程序。
• Synchronous XHR requests are disabled.
• 禁用同步XHR请求。

1 个解决方案

#1

---