[Greasemonkey] XMLHttpRequest and document.domain

chris feldmann cfeldmann at gmail.com
Sun Jul 24 16:05:31 EDT 2005


On 7/24/05, Saravanan <saravanannkl at gmail.com> wrote:
> 
> Chris,
> I think you have misunderstood my problem.



I'm terribly sorry. But see below... 

I am using *Greasemonkey 0.3.5 version* since last tuesday. Also I am not 
> using any GM_apis in my script now. Older versions of my script used 
> GM_xmlhttpRequest for fetching data. Now I am replacing GM_xmlhttpRequest 
> with XMLHttpRequest to make it compatible with Greasemonkey version 0.3.5.
> 
> I am in timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>website and my script makes a request to 
> timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>. So it is 
> not cross domain request and therefore my script should work. But my script 
> is not working and mozilla throws an error. While analyzing the javascript 
> script tags in the timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>page I found that value of 
> document.domain is changed to "indiatimes.com <http://indiatimes.com>". So 
> I changed my script to make a request to indiatimes.com<http://indiatimes.com>. 
> It worked. 



Noted. This supports what I'm saying... 

So I try to change document.domain value to
"timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>".
> But mozilla throws exception for this. 


It still looks like you're trying to work around the cross-domain limitation 
of XMLHttpRequest by requesting to a different domain. If one could just 
spoof the method by altering document.domain, that'd be a pretty weak 
restriction. Whether the domain of the document you're scripting against is 
set by script on the page or otherwise is immaterial, it would seem to me. 
If it comes from indiatimes.com <http://indiatimes.com>, you've got to 
request from indiatimes.com <http://indiatimes.com>. Note I speak as a 
relative novice. Prove me wrong.

I beleive that the GM script and scripts that are already in the web page 
> will have the same security permissions. Why the javascript in the page is 
> able to change the the value of document.domain and why not my GM script.
> 
> Thanks
> Saravanan
> 
> On 7/24/05, chris feldmann <cfeldmann at gmail.com> wrote:
> > 
> > Hi,
> > First off, you should not be using any version of greasemonkey that 
> > exposes the GM_ api's. You might not have heard, but there's a little 
> > security problem:
> > http://greaseblog.blogspot.com/2005/07/mandatory-greasemonkey-update.html 
> > 
> > 
> > Second, XMLHttpRequest won't work across domains, a separate security 
> > consideration that holds for mozilla across the board. That, I suspect, is 
> > the source of your error on req.open(). As for changing the domain, I'm 
> > not sure but it looks like you're just trying to pull a workaround on that 
> > security restriction. 
> > 
> > On 7/24/05, Saravanan < saravanannkl at gmail.com> wrote:
> > 
> > > Hi,
> > > I am working on a Greasemonkey script that uses XMLHttpRequest. This
> > > script acts on the url pattern " http://timesofindia.indiatimes.com/*
> > > ".
> > > When the GM script tries to connect to url 
> > > "http://timesofindia.indiatimes.com/" then mozilla throws an exception
> > > "Permission denied to call method XMLHttpRequest.open". But the GM
> > > script is able to connect sucessfully to the url 
> > > "http://indiatimes.com/".
> > > 
> > > After digging out I found that the document.domain value is changed 
> > > from "timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>" 
> > > to "indiatimes.com <http://indiatimes.com>" in the page
> > > thru javascript. I thought this may be reason for XMLHttpRequest not 
> > > working in my script. so I tried to change the value of
> > > document.domain back to "timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>" 
> > > in the script.
> > > mozilla throws exception when the script tries to change the value of 
> > > document.domain. 
> > > 
> > > Is my assumption correct or am I missing something. can somebody throw
> > > some light on XMLHttpRequest security and how it is handled in mozilla
> > > browsers.
> > > 
> > > I am attaching my GM script for reference 
> > > 
> > 
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
> 
> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/greasemonkey/attachments/20050724/56af567d/attachment-0001.htm


More information about the Greasemonkey mailing list