New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
GM_cookie - HttpOnly Cookie #465
Comments
You can either manipulate cookies via |
However, some inspiration is here: e.g.: var arrayOfCookies = GM_cookie("list");
console.log(JSON.stringify(arrayOfCookies));
var trueOrThrow = GM_cookie("set", {
"name": "cookieName",
"value": "cookieValue",
"path": "/path",
"expiration": Date.parse("Jan 17, 2037") / 1000,
"secure": true,
"httpOnly": true,
"session": false,
});
var countOfDeletedCookies = GM_cookie("delete", {
"name": "cookieName", // required
"path": "/", // optional
}); |
@derjanb httponly cookies can't be set or modified using document.cookie |
Can I set cross domain cookie with |
I finally found some time to implement GM_cookie. :) Please let me know if you find bugs or issues. // ==UserScript==
// @name GM_cookie examples
// @namespace test
// @version 0.1
// @include https://example.com
// @run-at document-end
// @grant GM_cookie
// @grant GM.cookie
// ==/UserScript==
// GM_cookie(method, details, cb) is implemented for compatibility reasons, but due to its asynchronous nature a callback needs to be given
// * method is one of list, set and delete
// * details might contain different method-dependent properties
// -> details.url defaults to the current documents URL
// Note: Tampermonkey checks if the script has @include or @match access to that URL!
GM_cookie('list', { name: 'name' }, function(cookies, error) {
if (!error) console.log(cookies);
});
// GM_cookie.list details supports url, domain, name and path
GM_cookie.list({ url: 'https://example.com' }, function(cookies, error) {
if (!error) console.log(cookies);
/* logs something like this:
[
{
domain: "https://example.com"
hostOnly: true
httpOnly: false
name: "name"
path: "/"
sameSite: "no_restriction"
secure: false
session: true
value: "some_value"
}
]
*/
});
GM.cookie.list({ name: 'name' }).then(function(cookies) {
console.log(cookies);
});
// GM_cookie.set details supports all properties defined here: https://developer.chrome.com/extensions/cookies#method-set
GM.cookie.set({ name: 'name', value: 'foo', httpOnly: true }, function(error) {
console.log(error || 'success');
});
GM.cookie.set({ name: 'name', value: 'foo', secure: true })
.then(function() {
console.log('done');
}, function(error) {
console.log(error);
})
// GM_cookie.delete details supports url, name
GM_cookie.delete({ name: 'name' }, function() {
console.log(error || 'success');
}) |
Does anyone have a use case that doesn't involve stealing logins? This seems like a security issue. HttpOnly cookies are usually set that way for a reason. |
I don't think GM_cookies adds a new level of insecurity. Scripts can only access cookies of URLs where they are allowed to run at. And since they are allowed to run there, they can steal logins and password directly while they are entered, right? GM_cookie only allows access to potential access tokens. But of course, I'm open to discussions. @rodorgas What is your use case for accessing HttpOnly cookies? |
@derjanb to remove the HttpOnly cookie to 'clean' the news websites counter with soft paywall |
Is this in the beta? I'm seeing "GM_cookie" is not defined |
@bbshih While using this? // @grant GM_cookie
// @grant GM.cookie |
It's now showing up, however I'm unable to list the entire cookie. I was doing GM.cookie.list({}).then(...) but now the promise return is giving me back a "not supported" error. Do I have to have a property in the list parameter object or is {} ok? |
I have a scraper that works best in a standard browser window rather than a headless one (for fingerprinting reasons), and the site that it scrapes accumulates extra cookie-info on each request, leading to a Without |
How can I use |
is |
stable version never supported, but beta version has been doing |
@derjanb when will this feature be available in the stable version? |
for chrome, there is if the userscript platform does not support it, I have to upgrade userscript to a browser extension. |
Two improvements:
|
Sorry for bumping, but are there any updates on mainlining this? My use case for this is to support sites like twitter which add CSRF checks through cookies to their API calls (the value of a csrf cookie needed to be present in the headers). Yes it's possible to access those cookies through Thanks for your work on this! |
Some problems in Firefox:
|
@Couchy Syncing logins between multiple computers. |
Just to check as it's unclear to me - is the GM_cookie functionality available in beta at the moment or not? :) Thanks! |
Currently not working (firefox + tampermonkey beta) , hope to see this in stable! Edit: GM.cookie works in 4.16.6160 For anyone interested you have to use
|
i have a functionality that doesnt involve stealing credentials ^^ - i want to try to implement an advanced tab share that recreates the tab on another device (get all the httponly cookies and copy them into the new tab , until session expires) oh btw the GM-cookie api should definitely operate behind a white/blacklist like xhr requests |
Use case: Charged >$100 per month per license where each browser consumed a license. |
GM_cookie.list return error "not supported" on Google Chrome. How fix it? |
Only the beta version is supported. |
it's available in stable |
Did they just add it recently? |
No idea but yesterday i used it on stable and it worked
…On Fri, Feb 17, 2023, 4:30 AM JenieX ***@***.***> wrote:
Did they just add it recently?
—
Reply to this email directly, view it on GitHub
<#465 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AMRT77COEYWGXBSEBUE73Q3WX3IFDANCNFSM4ECUHLEA>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
|
Hi @derjanb, when will it be available in the stable version? |
I do. I created Dark Reader dynamic blacklist, a userscript that, among other things, automatically enables a website's official dark theme when not enabled by default. Fortunately, most websites rely on Here's how I handle that kind of website :
On websites that use cookies for multiple settings, modifying any setting from the UI rewrites all cookies, making those invisible from my userscript because of the Here's what's happening in that situation :
But with the Thanks |
@KaKi87, document.cookie is synchronous but GM_cookie is asynchronous meaning there will be a potentially long pause before the result is returned e.g. in case the site runs a big script bundle right after your script calls the API - I've seen delays over 1 second in such cases. |
There's already a delay anyway, so I'm fine with providing a best-effort thing here. That's not our fault if modern applications continue using ancient stuff like cookies instead of localStorage. |
GM_cookie return "not supported" in the latest stable Version 4.19.0. |
Please use the BETA version for now. |
As a developer creating userscripts for end users, I can't ask them to install a beta. |
Violentmonkey already has features that other userscript managers don't have (that's one of the reasons why I ask my users to use it), so why couldn't As I previously mentioned, this feature is the only thing that can fix my issue : no workaround exists. Thanks |
@tophf ? |
@KaKi87 For Android browsers, I have implemented the |
Why are there no plans for GM_cookie to be included in the stable release? |
Is possible add GM_cookie to remove/manipulate HttpOnly cookies?
The text was updated successfully, but these errors were encountered: