Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a way to not send cookies when making an XMLHttpRequest on the same origin?

I'm working on an extension that parses the gmail rss feed for users. I allow the users to specify username/passwords if they don't want to stay signed-in. But this breaks for multiple sign-in if the user is signed-in and the username/password provided is for a different account. So I want to avoid sending any cookies but still be able to send the username/password in the send() call.

like image 461
Shrey Avatar asked Jan 27 '12 02:01

Shrey


People also ask

Can I make an XML HTTP request with a cookie?

it is probably built into the xmlhttprequest specification and if you have control of the server you are sending the request to and are able to modify response headers it may be possible to make an xmlhttp request with a cookie – Mohammad Ali Feb 15 '17 at 22:42 Sadly I don't have control over the server I'm sending the request to...

Is it possible to set a Cookie header in XMLHttpRequest?

im sorry to inform you but the xmlHTTPRequest function of javascript does not allow a cookie header to be set for security reasons as shown here: stackoverflow.com/questions/15198231/…the best way i could see you making that get request would be to a proxy server that you would be running – Mohammad Ali Feb 15 '17 at 22:15 Thanks.

How does The CookieMonster handle XMLHttpRequest?

Thus, the cookie monster will observe the assigned XMLHttpRequest and jump at its throat the moment it smells fresh cookies included in the HTTP headers! The CookieMonster class will provide the following methods: QueryInterface (iid) : method required to be compliant with the nsIObserver interface

How to send cookies to a domain from a content script?

When developing a Chrome extension, you might need to get an XMLHttpRequest that’s part of a content script to send cookies for a domain when making a request to that domain, if the origin is not that domain. Not much has been written about how to do this.


2 Answers

As of Chrome 42, the fetch API allows Chrome extensions (and web applications in general) to perform cookie-less requests. HTML5 Rocks offers an introductory tutorial on using the fetch API.

Advanced documentation on fetch is quite sparse at the moment, but the API interface from the specification is a great starting point. The fetch algorithm described below the interface shows that requests generated by fetch have no credentials by default!

fetch('http://example.com/').then(function(response) {
    return response.text(); // <-- Promise<String>
}).then(function(responseText) {
    alert('Response body without cookies:\n' + responseText);
}).catch(function(error) {
    alert('Unexpected error: ' + error);
});

If you want truly anonymous requests, you could also disable the cache:

fetch('http://example.com/', {
    // credentials: 'omit', // this is the default value
    cache: 'no-store',
}).then(function(response) {
    // TODO: Handle the response.
    // https://fetch.spec.whatwg.org/#response-class
    // https://fetch.spec.whatwg.org/#body
});
like image 167
Rob W Avatar answered Oct 20 '22 00:10

Rob W


You can do that by using the chrome.cookies module. The idea is to get the current cookies, save them, remove them from the browser's cookie store, send your request, and finally restore them:

var cookies_temp = []; // where you put the cookies first
var my_cookie_store = []; // the cookies will be there during the request
var details = {/*your code*/}; // the first parameter for chrome.cookies.getAll()
var start_kidnapping = function(cookies) {
    cookies_temp = cookies.slice();
    kidnap_cookie();
};
var kidnap_cookie = function() {
    // This recursive function will store the cookies from cookies_temp to
    // my_cookie_store and then remove them from the browser's cookie store.
    if (cookies_temp.length == 0) { // when no more cookies, end recursion
        send_request();
    };
    else {
        var cookie = cookies_temp.pop();
        // We store url as a property since it is useful later.
        // You may want to change the scheme.
        cookie.url = "http://" + cookie.domain + cookie.path;
        my_cookie_store.push(cookie); // save it
        chrome.cookies.remove({url: cookie.url, name: cookie.name}, kidnap_cookie);
    };
};
var send_request = function() {
    // Send your request here. It can be asynchronous.
    for (var i = 0, i < my_cookie_store.length; i++){
        delete cookie.hostOnly; // these 2 properties are not part of the
        delete cookie.session;  // object required by chrome.cookies.set()
        // note that at this point, cookie is no longer a Cookie object
        chrome.cookies.set(my_cookie_store[i]); // restore cookie
    };
    my_cookie_store = []; // empty it for new adventures
};
chrome.cookies.getAll(details, start_kidnapping); // start

Alternatively, a simpler solution is to open an incognito window which will send the request, using the chrome.windows module, but this will prevent you from communicating with the rest of your extension. Note that you may have to change the incognito property of your manifest to split:

var incognito_window = {
    "url": "incognito.html",
    "focused": false, // do not bother user
    "incognito": true
}
chrome.windows.create(incognito_window);
like image 44
emm Avatar answered Oct 20 '22 01:10

emm