I'm working on an extension that parses the gmail rss feed for users. I allow the users to specify username/passwords if they don't want to stay signed-in. But this breaks for multiple sign-in if the user is signed-in and the username/password provided is for a different account. So I want to avoid sending any cookies but still be able to send the username/password in the send() call.
it is probably built into the xmlhttprequest specification and if you have control of the server you are sending the request to and are able to modify response headers it may be possible to make an xmlhttp request with a cookie – Mohammad Ali Feb 15 '17 at 22:42 Sadly I don't have control over the server I'm sending the request to...
im sorry to inform you but the xmlHTTPRequest function of javascript does not allow a cookie header to be set for security reasons as shown here: stackoverflow.com/questions/15198231/…the best way i could see you making that get request would be to a proxy server that you would be running – Mohammad Ali Feb 15 '17 at 22:15 Thanks.
Thus, the cookie monster will observe the assigned XMLHttpRequest and jump at its throat the moment it smells fresh cookies included in the HTTP headers! The CookieMonster class will provide the following methods: QueryInterface (iid) : method required to be compliant with the nsIObserver interface
When developing a Chrome extension, you might need to get an XMLHttpRequest that’s part of a content script to send cookies for a domain when making a request to that domain, if the origin is not that domain. Not much has been written about how to do this.
As of Chrome 42, the fetch
API allows Chrome extensions (and web applications in general) to perform cookie-less requests. HTML5 Rocks offers an introductory tutorial on using the fetch API.
Advanced documentation on fetch
is quite sparse at the moment, but the API interface from the specification is a great starting point. The fetch algorithm described below the interface shows that requests generated by fetch
have no credentials by default!
fetch('http://example.com/').then(function(response) {
return response.text(); // <-- Promise<String>
}).then(function(responseText) {
alert('Response body without cookies:\n' + responseText);
}).catch(function(error) {
alert('Unexpected error: ' + error);
});
If you want truly anonymous requests, you could also disable the cache:
fetch('http://example.com/', {
// credentials: 'omit', // this is the default value
cache: 'no-store',
}).then(function(response) {
// TODO: Handle the response.
// https://fetch.spec.whatwg.org/#response-class
// https://fetch.spec.whatwg.org/#body
});
You can do that by using the chrome.cookies module. The idea is to get the current cookies, save them, remove them from the browser's cookie store, send your request, and finally restore them:
var cookies_temp = []; // where you put the cookies first
var my_cookie_store = []; // the cookies will be there during the request
var details = {/*your code*/}; // the first parameter for chrome.cookies.getAll()
var start_kidnapping = function(cookies) {
cookies_temp = cookies.slice();
kidnap_cookie();
};
var kidnap_cookie = function() {
// This recursive function will store the cookies from cookies_temp to
// my_cookie_store and then remove them from the browser's cookie store.
if (cookies_temp.length == 0) { // when no more cookies, end recursion
send_request();
};
else {
var cookie = cookies_temp.pop();
// We store url as a property since it is useful later.
// You may want to change the scheme.
cookie.url = "http://" + cookie.domain + cookie.path;
my_cookie_store.push(cookie); // save it
chrome.cookies.remove({url: cookie.url, name: cookie.name}, kidnap_cookie);
};
};
var send_request = function() {
// Send your request here. It can be asynchronous.
for (var i = 0, i < my_cookie_store.length; i++){
delete cookie.hostOnly; // these 2 properties are not part of the
delete cookie.session; // object required by chrome.cookies.set()
// note that at this point, cookie is no longer a Cookie object
chrome.cookies.set(my_cookie_store[i]); // restore cookie
};
my_cookie_store = []; // empty it for new adventures
};
chrome.cookies.getAll(details, start_kidnapping); // start
Alternatively, a simpler solution is to open an incognito window which will send the request, using the chrome.windows module, but this will prevent you from communicating with the rest of your extension. Note that you may have to change the incognito
property of your manifest to split
:
var incognito_window = {
"url": "incognito.html",
"focused": false, // do not bother user
"incognito": true
}
chrome.windows.create(incognito_window);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With