[Greasemonkey] XMLHttpRequest and document.domain

chris feldmann cfeldmann at gmail.com
Mon Jul 25 00:21:47 EDT 2005


I wonder, though, why you're needing XMLHttpRequest at all. A script like 
the one below rewrites all the links on the front 
page before you ever click on them so that they already point to the printer 
version (it works):

// ==UserScript==
// @name            timestest
// @namespace       
// @include		http://timesofindia.indiatimes.com/*
// ==/UserScript==

(function ()
{
	var a, link, href;
	a = document.evaluate(
		'//a[contains(@href, "articleshow")]',
		document,
		null,
		XPathResult.UNORDERED_NODE_SNAPSHOT_TYPE,
		null);
	for (var j = 0; j < a.snapshotLength; j++) {
		link = a.snapshotItem(j);
		href = link.href;
		if (href = href.replace(/(\d+)\.cms/gi, 'msid-$1,prtpage-1.cms')){
			link.href = href;
		}
	
	}
})();



I'm sorry, but I don't have time to wade into that morass of frames and 
scripts on the indiatimes.com <http://indiatimes.com> homepage, I don't know 
the error you *are* getting, and your script and what you're trying to do 
with it are opaque to me, possibly because I'm dumb. I still think the error 
on req.open() is fundamentally the result of cross-domain requesting.

On 7/24/05, Saravanan <saravanannkl at gmail.com> wrote:
> 
> Let me start from beginning.
> 
> Times of India is the largest newspaper in India. But in their website 
> news articles are presented in multiple pages. To avoid visiting multiple 
> pages for reading a single article(Eg. 
> http://timesofindia.indiatimes.com/articleshow/1180725.cms), I wrote a GM 
> Script which fetches content from the printer friendly of the news article 
> and displays them in a single page.
> 
> TimesPagingRemover GM Script does the following,
> 
> 1. Check for the link to printer friendly page.
> 2. If the printer friendly page exists then make a request to fetch the 
> printer friendly page.
> 3. Take the article content from the printer friendly page and load it in 
> the current page.
> 4. Hide the page navigation links(Previous/Next Links).
> 
> I used GM_xmlhttpRequest for fetching the printer friendly page. But due 
> to the security vulnerability all GM_apis are removed in Greasemonkey 
> version 0.3.5. *Since the news article page and the printer friendly page 
> is in the same domain*, I decided to use XMLHttpRequest to fetch the printer 
> friendly page.
> 
> Sample Urls
> News article page - 
> http://timesofindia.indiatimes.com/articleshow/1180725.cms
> Printer friendly page - 
> http://timesofindia.indiatimes.com/articleshow/msid-1180725,prtpage-1.cms
> 
> But if I make a request to the printer friendly page mozilla throws 
> security exception. Later I found that a script in the page(not my GM 
> script) changes the document.domain from "timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>" 
> to "indiatimes.com <http://indiatimes.com>". I thought this may be a 
> reason for the XMLHttpRequest not working. So I tried to fetch the page "
> http://indiatimes.com" thru XMLHttpRequest request. It worked. So I tried 
> to change the document.domain to the original value "
> timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>". Mozilla 
> throws exception for changing the document.domain. 
> 
> My question : If the value of document.domain was changed from "
> timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>" to "
> indiatimes.com <http://indiatimes.com>" in the page javascript then why 
> mozilla throws exception if I change from "indiatimes.com<http://indiatimes.com>" 
> to "timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>" in 
> the GM script.
> 
> Hope this explains my problem. 
> 
> In the last two mails for easier understanding of the script I stripped 
> all the other code that is not related to XMLHttpRequest. Now I am attaching 
> two scripts 
> 
> TimesPagingRemover-pre0.3.5.user.js - GM script that uses 
> GM_xmlhttpRequest for reference.
> TimesPagingRemover.user.js - GM script with XMLHttpRequest.
> 
> Thanks
> Saravanan
> 
> 
> On 7/24/05, chris feldmann <cfeldmann at gmail.com> wrote:
> > 
> > On 7/24/05, Saravanan <saravanannkl at gmail.com> wrote: 
> > > 
> > > Let me state my problem simply.
> > 
> > 
> > But you took a step out. 
> > 
> > 1. I am in http://timesofindia.indiatimes.com/ website. 
> > 
> > 
> > 
> > 1.5 (quoting) 'I found that value of document.domain is changed to "
> > indiatimes.com <http://indiatimes.com/>".' This is your domain. 
> > 1.5.5 (quoting) So I changed my script to make a request to 
> > indiatimes.com <http://indiatimes.com/>. It worked.
> > 
> > 2. My GM script makes xml http request to 
> > > http://timesofindia.indiatimes.com/
> > > 3. Mozilla throws exception for this.
> > 
> > 
> > Anyway, is this the error you're talking about?
> > 
> > Warning: Element referenced by ID/NAME in the global scope. Use W3C 
> > standard document.getElementById() instead.
> > Source File: http://timesofindia.indiatimes.com/
> > Line: 1230
> >  
> > I think that's related to using IE's document.all, if I remember. e.g. 
> > you have <div id="xxx"> and reference it with xxx.attribute, skipping 
> > the xxx = document.getElementById(xxx).
> > But that's a separate issue, I think. What is the script supposed to do 
> > when it's done? I can't really tell how to reproduce the behavior with the 
> > attached script, which is kind of just a stub. 
> > 
> > Thanks
> > > Saravanan
> > > 
> > > On 7/24/05, chris feldmann <cfeldmann at gmail.com > wrote:
> > > > 
> > > > 
> > > > 
> > > > On 7/24/05, Saravanan < saravanannkl at gmail.com> wrote:
> > > > > 
> > > > > Chris,
> > > > > I think you have misunderstood my problem.
> > > > 
> > > > 
> > > > 
> > > > I'm terribly sorry. But see below... 
> > > > 
> > > > I am using *Greasemonkey 0.3.5 version* since last tuesday. Also I 
> > > > > am not using any GM_apis in my script now. Older versions of my script used 
> > > > > GM_xmlhttpRequest for fetching data. Now I am replacing GM_xmlhttpRequest 
> > > > > with XMLHttpRequest to make it compatible with Greasemonkey version 
> > > > > 0.3.5.
> > > > > 
> > > > > I am in timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>website and my script makes a request to 
> > > > > timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>. 
> > > > > So it is not cross domain request and therefore my script should work. But 
> > > > > my script is not working and mozilla throws an error. While analyzing the 
> > > > > javascript script tags in the timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>page I found that value of 
> > > > > document.domain is changed to "indiatimes.com<http://indiatimes.com>". 
> > > > > So I changed my script to make a request to indiatimes.com<http://indiatimes.com>. 
> > > > > It worked. 
> > > > 
> > > > 
> > > > 
> > > > Noted. This supports what I'm saying... 
> > > > 
> > > > So I try to change document.domain value to "
> > > > > timesofindia.indiatimes.com <http://timesofindia.indiatimes.com>". 
> > > > > But mozilla throws exception for this. 
> > > > 
> > > > 
> > > > It still looks like you're trying to work around the cross-domain 
> > > > limitation of XMLHttpRequest by requesting to a different domain. If one 
> > > > could just spoof the method by altering document.domain, that'd be a 
> > > > pretty weak restriction. Whether the domain of the document you're scripting 
> > > > against is set by script on the page or otherwise is immaterial, it would 
> > > > seem to me. If it comes from indiatimes.com <http://indiatimes.com>, 
> > > > you've got to request from indiatimes.com <http://indiatimes.com>. 
> > > > Note I speak as a relative novice. Prove me wrong.
> > > > 
> > > > I beleive that the GM script and scripts that are already in the web 
> > > > > page will have the same security permissions. Why the javascript in the page 
> > > > > is able to change the the value of document.domain and why not my 
> > > > > GM script.
> > > > > 
> > > > > Thanks
> > > > > Saravanan
> > > > > 
> > > > > 
> > > > > On 7/24/05, chris feldmann < cfeldmann at gmail.com> wrote:
> > > > > > 
> > > > > > Hi,
> > > > > > First off, you should not be using any version of greasemonkey 
> > > > > > that exposes the GM_ api's. You might not have heard, but there's a little 
> > > > > > security problem:
> > > > > > http://greaseblog.blogspot.com/2005/07/mandatory-greasemonkey-update.html 
> > > > > > 
> > > > > > 
> > > > > > Second, XMLHttpRequest won't work across domains, a separate 
> > > > > > security consideration that holds for mozilla across the board. That, I 
> > > > > > suspect, is the source of your error on req.open(). As for 
> > > > > > changing the domain, I'm not sure but it looks like you're just trying to 
> > > > > > pull a workaround on that security restriction. 
> > > > > > 
> > > > > > On 7/24/05, Saravanan < saravanannkl at gmail.com> wrote:
> > > > > > 
> > > > > > > Hi,
> > > > > > > I am working on a Greasemonkey script that uses 
> > > > > > > XMLHttpRequest. This
> > > > > > > script acts on the url pattern "http://timesofindia.indiatimes.com/*
> > > > > > > ".
> > > > > > > When the GM script tries to connect to url 
> > > > > > > "http://timesofindia.indiatimes.com/" then mozilla throws an 
> > > > > > > exception
> > > > > > > "Permission denied to call method XMLHttpRequest.open". But 
> > > > > > > the GM
> > > > > > > script is able to connect sucessfully to the url 
> > > > > > > "http://indiatimes.com/".
> > > > > > > 
> > > > > > > After digging out I found that the document.domain value is 
> > > > > > > changed 
> > > > > > > from "timesofindia.indiatimes.com 
> > > > > > > <http://timesofindia.indiatimes.com>" to "indiatimes.com<http://indiatimes.com>" 
> > > > > > > in the page
> > > > > > > thru javascript. I thought this may be reason for 
> > > > > > > XMLHttpRequest not 
> > > > > > > working in my script. so I tried to change the value of
> > > > > > > document.domain back to "timesofindia.indiatimes.com<http://timesofindia.indiatimes.com>" 
> > > > > > > in the script.
> > > > > > > mozilla throws exception when the script tries to change the 
> > > > > > > value of 
> > > > > > > document.domain. 
> > > > > > > 
> > > > > > > Is my assumption correct or am I missing something. can 
> > > > > > > somebody throw
> > > > > > > some light on XMLHttpRequest security and how it is handled in 
> > > > > > > mozilla
> > > > > > > browsers.
> > > > > > > 
> > > > > > > I am attaching my GM script for reference 
> > > > > > > 
> > > > > > 
> > > > > _______________________________________________
> > > > > Greasemonkey mailing list
> > > > > Greasemonkey at mozdev.org 
> > > > > http://mozdev.org/mailman/listinfo/greasemonkey
> > > > > 
> > > > > 
> > > > > 
> > > > 
> > > > _______________________________________________
> > > > Greasemonkey mailing list
> > > > Greasemonkey at mozdev.org 
> > > > http://mozdev.org/mailman/listinfo/greasemonkey
> > > > 
> > > > 
> > > > 
> > > 
> > > _______________________________________________
> > > Greasemonkey mailing list
> > > Greasemonkey at mozdev.org 
> > > http://mozdev.org/mailman/listinfo/greasemonkey
> > > 
> > > 
> > > 
> > > 
> > 
> > _______________________________________________
> > Greasemonkey mailing list
> > Greasemonkey at mozdev.org
> > http://mozdev.org/mailman/listinfo/greasemonkey
> > 
> > 
> > 
> 
> _______________________________________________
> Greasemonkey mailing list
> Greasemonkey at mozdev.org
> http://mozdev.org/mailman/listinfo/greasemonkey
> 
> 
> 
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mozdev.org/pipermail/greasemonkey/attachments/20050724/5a0c4c89/attachment-0001.htm


More information about the Greasemonkey mailing list