Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why can Tampermonkey's GM_xmlhttpRequest perform a CORS request?

Tags:

cors

google-chrome-extension

tampermonkey

GM_xmlhttpRequest can perform an ajax call that ignores the same origin policy.
I have checked the network panel in Chrome but I cannot find the XHR from GM_xmlhttpRequest in it. It just works.
I'd like to know what exactly happened and the reason why it works. Thank you.

like image 956
Andrew Zhang Avatar asked Jan 29 '23 18:01

Andrew Zhang

1 Answers

Tampermonkey can do cross-origin ajax because it is an extension and extensions are trusted much more than some website's javascript. See "Referencing external resources" in the Chrome extension API.

Tampermonkey scripts operate in a privileged scope and GM_xmlhttpRequest was created specifically to wrap around a privileged XMLHttpRequest call.

To see the Tampermonkey XHR, you must inspect Tampermonkey's background page. You will see the userscript's XHR In the network panel there.

like image 107
Brock Adams Avatar answered Feb 16 '23 02:02

Brock Adams
Sign in to Comment

Related questions

Include ttf files in chrome extension content script
Google Chrome exstension chrome.tabs.onUpdated.addListener
--load-extension parameter for chrome doesn't work
Is there a way to uniquely identify an iframe that the content script runs in for my Chrome extension?
Chrome Extension: executeScript on tab
chrome.browserAction.onClicked.addListener Not working
Chrome extension as static server
Chrome extension options not calling javascript file
Chrome extension history API not showing all results?
Firefox / Chrome / MS Edge extensions using chrome.* or browser.*
How do I reach variables in a chrome extension popup localStorage from content scripts?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!