[Greasemonkey] XMLHttpRequest and document.domain

Saravanan saravanannkl at gmail.com
Sun Jul 24 15:09:57 EDT 2005

I think you have misunderstood my problem.

I am using *Greasemonkey 0.3.5 version* since last tuesday. Also I am not 
using any GM_apis in my script now. Older versions of my script used 
GM_xmlhttpRequest for fetching data. Now I am replacing GM_xmlhttpRequest 
with XMLHttpRequest to make it compatible with Greasemonkey version 0.3.5.

I am in timesofindia.indiatimes.com
<http://timesofindia.indiatimes.com>website and my script makes a
request to
timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>. So it is 
not cross domain request and therefore my script should work. But my script 
is not working and mozilla throws an error. While analyzing the javascript 
script tags in the
timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>page I
found that value of
document.domain is changed to "indiatimes.com <http://indiatimes.com>". So I 
changed my script to make a request to indiatimes.com<http://indiatimes.com>. 
It worked. So I try to change document.domain value to "
timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>". But 
mozilla throws exception for this. 

I beleive that the GM script and scripts that are already in the web page 
will have the same security permissions. Why the javascript in the page is 
able to change the the value of document.domain and why not my GM script.


On 7/24/05, chris feldmann <cfeldmann at gmail.com> wrote:
> Hi,
> First off, you should not be using any version of greasemonkey that 
> exposes the GM_ api's. You might not have heard, but there's a little 
> security problem:
> http://greaseblog.blogspot.com/2005/07/mandatory-greasemonkey-update.html
> Second, XMLHttpRequest won't work across domains, a separate security 
> consideration that holds for mozilla across the board. That, I suspect, is 
> the source of your error on req.open(). As for changing the domain, I'm 
> not sure but it looks like you're just trying to pull a workaround on that 
> security restriction. 
> On 7/24/05, Saravanan <saravanannkl at gmail.com> wrote:
> > Hi,
> > I am working on a Greasemonkey script that uses XMLHttpRequest. This
> > script acts on the url pattern "http://timesofindia.indiatimes.com/*".
> > When the GM script tries to connect to url 
> > "http://timesofindia.indiatimes.com/" then mozilla throws an exception
> > "Permission denied to call method XMLHttpRequest.open". But the GM
> > script is able to connect sucessfully to the url 
> > "http://indiatimes.com/".
> > 
> > After digging out I found that the document.domain value is changed
> > from "timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>" 
> > to "indiatimes.com <http://indiatimes.com>" in the page
> > thru javascript. I thought this may be reason for XMLHttpRequest not
> > working in my script. so I tried to change the value of
> > document.domain back to "timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>" 
> > in the script.
> > mozilla throws exception when the script tries to change the value of
> > document.domain. 
> > 
> > Is my assumption correct or am I missing something. can somebody throw
> > some light on XMLHttpRequest security and how it is handled in mozilla
> > browsers.
> > 
> > I am attaching my GM script for reference
> > 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/greasemonkey/attachments/20050724/b7312bdc/attachment.htm

More information about the Greasemonkey mailing list