Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

GM_xmlhttpRequest is not sending cookies back to origin #1521

Closed
Enkidu70 opened this Issue · 7 comments

3 participants

@Enkidu70

In GM scripts designed for sites using cookies (e.g. for authentification purposes) GM_xmlhttpRequest (GM v0.9.17) does not work properly because it does not send back the given cookies.

Using GM_xmlhttpRequest no cookies are included. Using XMLHttpRequest all cookies are preserved.

This is esp. a problem if the sites protects its cookies by "Set-Cookie: ...; HttpOnly" so that you can not attach it manually.

Solution:
GM_xmlhttpRequest just has to preserve given cookies (like XMLHttpRequest does).

@arantius
Collaborator

See #1169

GM_xmlhttpRequest allows cross-origin requests by not starting from a content-scoped origin. Thus it has no cookies. I don't know how easy or hard it would be to try to smash them in anyways.

@Enkidu70

Besides the technical implementation, I do not see a problem with the scope because in my opinion it is very clear:

As long as I am working on the same domain, it is no cross origin and GM_xmlhttpRequest should act like XMLHttpRequest. As soon as I request to a different domain GM_xmlhttpRequest should if present send cookies for that domain. And besides the ability of requesting cross origin it should be exactly behave the same way XMLHttpRequest does.

I just took a look on Scriptish and there GM_xmlhttpRequest works as I expect it...

@arantius
Collaborator

The behavior of Scriptish is identical to Greasemonkey: cookie transmission depends on the third-party cookie setting. Closing this as a dupe of #1169.

(And what I said is that as far as GM_xhr goes, every request is cross origin because they all start in the privileged chrome origin, which can access any remote url -- but then they are all "third party".)

@arantius arantius closed this
@Enkidu70

Sorry, this is definitly not true for Scriptish! My system does not allow third party cookies but using Scriptish it works as I expect it.

Here on my system Greasemonkeys GM_xmlhttpRequest does NOT send the cookies to the site my userscript is designed for!. But XMLHttpRequest and Scriptish implementation of GM_xmlhttpRequest DOES send them!

Please note: I installed the same userscript in the same browser, so I am using exactly the same settings concerning cookies ecc. On time in Greasemonkey, on time in Scriptish.

@arantius
Collaborator

Firefox: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2

  1. Brand new test profile.
  2. Install Greasemonkey.
  3. Install previously linked (in #1169) test script.
  4. Cookies work as expected.
  5. Set network.cookie.cookieBehavior to 1.
  6. Cookies don't work.

As stated. Starting over:

  1. Again wipe out to brand new test profile.
  2. Install Scriptish.
  3. Install previously linked (in #1169) test script.
  4. Cookies work as expected.
  5. Set network.cookie.cookieBehavior to 1.
  6. Cookies don't work.

You must not have third party cookies disabled wherever you're testing Scriptish, or something else is different/changing.

@0rt
0rt commented

@arantius
I want to bring it up again, because I think scriptish is superior than GM in this part.

there is a metablcok name : @domain which grant GM_xmlhttprequest access if you explicit these domain. If you don't declare any of it, that will allow full GM_xhr access in all domain.

If you think the Scriptish implement is too insecure, you could just add another metablock like @xhr_all and have it set false by default.

Personally, I don't think there are problem if the userscript writer know what they are doing sending cookies to other domain, but that is a big issue that the current GM won't send cookies to the same domain, that is a big drawback when you implement so many feature in GM_xhr but it turn out handicap when it come to xhr deal with cookies.

This issue should divide into two:
1. Implement some origin XHR with cookies. That is a bug if you ask my opinion.
2. Allow user control the XHR cookies access. That is a feature request which had implement in Scriptish

Reference:
https://github.com/scriptish/scriptish/wiki/Manual%3A-Metadata-Block

@0rt
0rt commented

Sorry for the spam, don't notice there is an open bug for that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.