In GM scripts designed for sites using cookies (e.g. for authentification purposes) GM_xmlhttpRequest (GM v0.9.17) does not work properly because it does not send back the given cookies.
Using GM_xmlhttpRequest no cookies are included. Using XMLHttpRequest all cookies are preserved.
This is esp. a problem if the sites protects its cookies by "Set-Cookie: ...; HttpOnly" so that you can not attach it manually.
GM_xmlhttpRequest just has to preserve given cookies (like XMLHttpRequest does).
GM_xmlhttpRequest allows cross-origin requests by not starting from a content-scoped origin. Thus it has no cookies. I don't know how easy or hard it would be to try to smash them in anyways.
Besides the technical implementation, I do not see a problem with the scope because in my opinion it is very clear:
As long as I am working on the same domain, it is no cross origin and GM_xmlhttpRequest should act like XMLHttpRequest. As soon as I request to a different domain GM_xmlhttpRequest should if present send cookies for that domain. And besides the ability of requesting cross origin it should be exactly behave the same way XMLHttpRequest does.
I just took a look on Scriptish and there GM_xmlhttpRequest works as I expect it...
The behavior of Scriptish is identical to Greasemonkey: cookie transmission depends on the third-party cookie setting. Closing this as a dupe of #1169.
(And what I said is that as far as GM_xhr goes, every request is cross origin because they all start in the privileged chrome origin, which can access any remote url -- but then they are all "third party".)
Sorry, this is definitly not true for Scriptish! My system does not allow third party cookies but using Scriptish it works as I expect it.
Here on my system Greasemonkeys GM_xmlhttpRequest does NOT send the cookies to the site my userscript is designed for!. But XMLHttpRequest and Scriptish implementation of GM_xmlhttpRequest DOES send them!
Please note: I installed the same userscript in the same browser, so I am using exactly the same settings concerning cookies ecc. On time in Greasemonkey, on time in Scriptish.
Firefox: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
Mozilla/5.0 (X11; Linux i686 on x86_64; rv:10.0.2) Gecko/20100101 Firefox/10.0.2
As stated. Starting over:
You must not have third party cookies disabled wherever you're testing Scriptish, or something else is different/changing.
I want to bring it up again, because I think scriptish is superior than GM in this part.
there is a metablcok name : @domain which grant GM_xmlhttprequest access if you explicit these domain. If you don't declare any of it, that will allow full GM_xhr access in all domain.
If you think the Scriptish implement is too insecure, you could just add another metablock like @xhr_all and have it set false by default.
Personally, I don't think there are problem if the userscript writer know what they are doing sending cookies to other domain, but that is a big issue that the current GM won't send cookies to the same domain, that is a big drawback when you implement so many feature in GM_xhr but it turn out handicap when it come to xhr deal with cookies.
This issue should divide into two:
Sorry for the spam, don't notice there is an open bug for that.