As you know, when send $.ajax(..) request to another domain (cross-domain), most browser throw exception like:

 XMLHttpRequest cannot load http://mysite.com/test.php. Origin
 http://127.0.0.1:8888 is not allowed by Access-Control-Allow-Origin.

I am creating chrome extension and it should send a request to my website. First , i expected to see above message,too. But i confused when i see it worked fine.

First, It’s seem good, it’s working and i have what i want. But it can be horrible. Every one can use such way (only a simple script) to attack my site and grab its data.

Of course, grabbing could be happen in other ways, too. I am new in api programing and chrome extension. Do anyone may show me the way?

manifest.json

{
  "manifest_version": 2,
  "name": "MyTestExtension",
  "description": "this extension is for test",
  "version": "1.0",
  "icons": {
    "128": "icon.png"
  },
  "browser_action": {
    "default_icon": "icon.png" 
  },
  "permissions": [
    "tabs" ,
    "*://*/*"
  ],
  "content_scripts": [
    {
      "matches": ["*://*/*"],
      "js": ["jquery-1.7.2.min.js","content_script.js"],
      "run_at": "document_end"
    }
  ]  
}

content_script.js

$(document).ready(function(){
    $('html').mouseup(function() {
        var selectedText = getSelectedText();
        if(selectedText > ''){
            my_syncTest(selectedText)      // here : selected test send to my site
        }
    });

    function getSelectedText() {
        if (window.getSelection) {
            var selection = window.getSelection().toString();
            if(selection.trim() > ''){
                return selection;
            }
        } else if (document.selection) {
            var selection = document.selection.createRange().text;
            if(selection.trim() > ''){
                return selection;
            }
        }
        return '';
    } });


function my_syncTest(word){
var qs = 'word='+word+'&header=555&simwords=1'; 
$.ajax(
  {
   type: "POST", 
   url: 'http://mysite.com/test.php',
   dataType: 'json', 
   data : qs, 

  success:function(res){
    console.log(res.success +" - "+ res.idWord + " - " + res.header +" - " + res.meaning);
  }});
}

XMLHttpRequests from your extension work because you defined these permissions in the manifest:

"permissions": [
    "*://*/*"
]

When a user installs your extension, he is informed that this extension can access his data on all sites. I prefer only including the exact site you need instead of wildcards.

http://developer.chrome.com/extensions/xhr.html

This mechanism is to protect the user, not to protect your site. If you don't want everybody to use your API, use API-keys, or look into oAuth:

http://en.wikipedia.org/wiki/OAuth

If you want to learn more about cross origin requests:

http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS