GM_cookie - HttpOnly Cookie

[AugustoResende]

Is possible add GM_cookie to remove/manipulate HttpOnly cookies?

chrome.webRequest.onBeforeRequest.addListener(
  function(details) {
    removeCookies('https://www.example.com');
  },
  {
    urls: [
      "*://*.example.com/*"
    ]
  }
);

[derjanb]

You can either manipulate cookies via document.cookie or retrieve resources via GM_xhr and the anonymous option set. Besides this it's not possible to modify cookies at the moment.

[janekptacijarabaci]

However, some inspiration is here:
greasemonkey/greasemonkey#1802
(janekptacijarabaci/greasemonkey@dc5487e)

e.g.:

var arrayOfCookies = GM_cookie("list");
console.log(JSON.stringify(arrayOfCookies));

var trueOrThrow = GM_cookie("set", {
  "name": "cookieName",
  "value": "cookieValue",
  "path": "/path",
  "expiration": Date.parse("Jan 17, 2037") / 1000,
  "secure": true,
  "httpOnly": true,
  "session": false,
});

var countOfDeletedCookies = GM_cookie("delete", {
  "name": "cookieName", // required
  "path": "/", // optional
});

[AugustoResende2]

@derjanb httponly cookies can't be set or modified using document.cookie

[maple3142]

Can I set cross domain cookie with GM_cookie or GM_xmlhttpRequest?
Because a site has domain A & domain B.
To enter domain B you have to login in domain A, but they don't has 'Allow-Control-Allow-Origin'.
So I use GM_xmlhttpRequest to simulate login on domain A, but cookie is not set on domain A.
Is there any work around to achieve it?

[derjanb]

I finally found some time to implement GM_cookie. :) Please let me know if you find bugs or issues.

// ==UserScript==
// @name        GM_cookie examples
// @namespace   test
// @version     0.1
// @include     https://example.com
// @run-at      document-end
// @grant       GM_cookie
// @grant       GM.cookie
// ==/UserScript==

// GM_cookie(method, details, cb) is implemented for compatibility reasons, but due to its asynchronous nature a callback needs to be given
// * method is one of list, set and delete
// * details might contain different method-dependent properties
//   -> details.url defaults to the current documents URL 
//      Note: Tampermonkey checks if the script has @include or @match access to that URL!

GM_cookie('list', { name: 'name' }, function(cookies, error) {
    if (!error) console.log(cookies);
});

// GM_cookie.list details supports url, domain, name and path
GM_cookie.list({ url: 'https://example.com' }, function(cookies, error) {
    if (!error) console.log(cookies);

    /* logs something like this:
    [
        {
            domain: "https://example.com"
            hostOnly: true
            httpOnly: false
            name: "name"
            path: "/"
            sameSite: "no_restriction"
            secure: false
            session: true
            value: "some_value"
        }
    ]
    */
});

GM.cookie.list({ name: 'name' }).then(function(cookies) {
    console.log(cookies);
});

// GM_cookie.set details supports all properties defined here: https://developer.chrome.com/extensions/cookies#method-set
GM.cookie.set({ name: 'name', value: 'foo', httpOnly: true }, function(error) {
    console.log(error || 'success');
});

GM.cookie.set({ name: 'name', value: 'foo', secure: true })
.then(function() {
    console.log('done');
}, function(error) {
    console.log(error);
})

// GM_cookie.delete details supports url, name
GM_cookie.delete({ name: 'name' }, function() {
    console.log(error || 'success');
})

[Couchy]

Does anyone have a use case that doesn't involve stealing logins? This seems like a security issue. HttpOnly cookies are usually set that way for a reason.

[derjanb]

I don't think GM_cookies adds a new level of insecurity. Scripts can only access cookies of URLs where they are allowed to run at. And since they are allowed to run there, they can steal logins and password directly while they are entered, right? GM_cookie only allows access to potential access tokens. But of course, I'm open to discussions.

@rodorgas What is your use case for accessing HttpOnly cookies?

[Pytness]

@Couchy @derjanb i have a case were the user id is in a HttpOnly cookie. I could take the uid from an anchor, but that would make me load fetch the page and search for it. Having a method to access that cookie would save me time

[AugustoResende]

@derjanb to remove the HttpOnly cookie to 'clean' the news websites counter with soft paywall

[bbshih]

Is this in the beta? I'm seeing "GM_cookie" is not defined

[derjanb]

@bbshih While using this?

// @grant       GM_cookie
// @grant       GM.cookie

[bbshih]

It's now showing up, however I'm unable to list the entire cookie. I was doing GM.cookie.list({}).then(...) but now the promise return is giving me back a "not supported" error. Do I have to have a property in the list parameter object or is {} ok?

[halflife3]

@bbshih It's because in the recent version 4.9.5914 , the GM_cookies support is disabled.
@derjanb But why disable it? or perhaps there is a better way to get http only cookies?

[cuylerstuwe]

Does anyone have a use case that doesn't involve stealing logins? This seems like a security issue. HttpOnly cookies are usually set that way for a reason.

@Couchy

I have a scraper that works best in a standard browser window rather than a headless one (for fingerprinting reasons), and the site that it scrapes accumulates extra cookie-info on each request, leading to a 400 Bad Request - Request Header Or Cookie Too Large every X requests.

Without GM_cookie, I either have to elevate to an extension (a little overboard for this relatively-simple scraper), pursue other possibilities, or continue manually clearing cookies. It's the delete functionality that I'd get the most use from.

[NabiKAZ]

How can I use GM_cookie?
Is it usable in current release version?

[seiry]

is GM_cookie was removed in stable version? @derjanb

[vcheckzen]

is GM_cookie was removed in stable version? @derjanb

stable version never supported, but beta version has been doing

[navchandar]

@derjanb when will this feature be available in the stable version?

[magicdawn]

for chrome, there is chrome.cookies.<method> https://developer.chrome.com/extensions/cookies

if the userscript platform does not support it, I have to upgrade userscript to a browser extension.

[lainverse]

Two improvements:

• Make GM_cookie.delete pass cookie object which it received to delete into callback to be able to perform some other actions with it. GM.cookie.delete should return a promise and pass the same object as a result.
• Hide own TM_... cookies during a startup since apparently script at document-start with instant injection mode can occasionally see and remove them.

[qsniyg]

Sorry for bumping, but are there any updates on mainlining this?

My use case for this is to support sites like twitter which add CSRF checks through cookies to their API calls (the value of a csrf cookie needed to be present in the headers). Yes it's possible to access those cookies through document.cookie (they're not httponly, and can't be as their client-side code requires reading them), but only if the user is on that page (twitter.com). My script needs to perform those API calls on any page (wherever there's a link to twitter etc. that the user wants to pop up). While I'm able to support this for the extension version of my script, I'd like to be able to offer the same functionality for userscript users.

Thanks for your work on this!

[mpeters-edu]

Some problems in Firefox:

• GM.cookie.set hangs:
  • when .session is present (just try to set any cookie returned by GM.cookie.list)
  • when .sameSite is incorrect (e.g. none instead of no_restriction)
• GM.cookie.set breaks with .hostOnly flag:
  • seems ignore .hostOnly (always false)
  • seems to add a '.' character before the domain (which causes duplicate cookie instead of modifying existing)

[Anonymous941]

Does anyone have a use case that doesn't involve stealing logins? This seems like a security issue. HttpOnly cookies are usually set that way for a reason.

@Couchy Syncing logins between multiple computers.

[piit79]

Just to check as it's unclear to me - is the GM_cookie functionality available in beta at the moment or not? :) Thanks!

[marios88]

Currently not working (firefox + tampermonkey beta) , hope to see this in stable!

Edit:

GM.cookie works in 4.16.6160

For anyone interested you have to use

// @match        https://www.example.com/*
// @grant       GM.cookie
...
const cookiename = 'COOKIENAME';
GM.cookie.list({ name: cookieName }).then(function(cookie) {
    console.log(cookie);
});

[jonnytest1]

i have a functionality that doesnt involve stealing credentials ^^ - i want to try to implement an advanced tab share that recreates the tab on another device (get all the httponly cookies and copy them into the new tab , until session expires)

oh btw the GM-cookie api should definitely operate behind a white/blacklist like xhr requests

[realJoshByrnes]

Use case: Charged >$100 per month per license where each browser consumed a license.

[BaHeK1994]

GM_cookie.list return error "not supported" on Google Chrome. How fix it?

[JenieX]

GM_cookie.list return error "not supported" on Google Chrome. How fix it?

Only the beta version is supported.

[optionsx]

GM_cookie.list return error "not supported" on Google Chrome. How fix it?

Only the beta version is supported.

it's available in stable

[JenieX]

GM_cookie.list return error "not supported" on Google Chrome. How fix it?

Only the beta version is supported.

it's available in stable

Did they just add it recently?

[optionsx]

No idea but yesterday i used it on stable and it worked

…

On Fri, Feb 17, 2023, 4:30 AM JenieX ***@***.***> wrote: Did they just add it recently? — Reply to this email directly, view it on GitHub <#465 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AMRT77COEYWGXBSEBUE73Q3WX3IFDANCNFSM4ECUHLEA> . You are receiving this because you commented.Message ID: ***@***.***>

[derjanb]

GM_cookie is enabled (functional) at all but the Chrome Webstore stable version.

[yuezk]

Hi @derjanb, when will it be available in the stable version?

[KaKi87]

Does anyone have a use case that doesn't involve stealing logins?

I do.

I created Dark Reader dynamic blacklist, a userscript that, among other things, automatically enables a website's official dark theme when not enabled by default.

Fortunately, most websites rely on localStorage to save that setting, but unfortunately, there are also websites that use cookies instead.

Here's how I handle that kind of website :

1. The page loads ;
2. The userscript does not see a dark theme cookie so it sets one and reloads the page ;
3. The page reloads ;
4. The userscript sees the cookie.

On websites that use cookies for multiple settings, modifying any setting from the UI rewrites all cookies, making those invisible from my userscript because of the HttpOnly attribute.

Here's what's happening in that situation :

1. The page loads ;
2. The userscript does not see a dark theme cookie so it sets one and reloads the page ;
3. The page reloads ;
4. The userscripts sees the cookie ;
5. The user changes any setting unrelated to the dark theme ;
6. The page reloads with all cookies rewritten with the HttpOnly attribute ;
7. The userscript does not see the dark theme cookie despite being there, so it tries setting it again and reloading the page, in a loop.

But with the GM_cookie API, the userscript would see that the cookie exists despite having the HttpOnly attribute and thus not get stuck.

Thanks

[tophf]

@KaKi87, document.cookie is synchronous but GM_cookie is asynchronous meaning there will be a potentially long pause before the result is returned e.g. in case the site runs a big script bundle right after your script calls the API - I've seen delays over 1 second in such cases.

[KaKi87]

There's already a delay anyway, so I'm fine with providing a best-effort thing here.

That's not our fault if modern applications continue using ancient stuff like cookies instead of localStorage.

[zxfwinder]

GM_cookie return "not supported" in the latest stable Version 4.19.0.

[derjanb]

GM_cookie return "not supported" in the latest stable Version 4.19.0.

Please use the BETA version for now.

[KaKi87]

As a developer creating userscripts for end users, I can't ask them to install a beta.

[KaKi87]

We will implement it once it's out of beta in Tampermonkey and actually works.

Violentmonkey already has features that other userscript managers don't have (that's one of the reasons why I ask my users to use it), so why couldn't GM.cookie be one of those ?

As I previously mentioned, this feature is the only thing that can fix my issue : no workaround exists.

Thanks

[KaKi87]

@tophf ?

[JingMatrix]

@KaKi87 For Android browsers, I have implemented the GM_cookie API in ChromeXt, see docs given in JingMatrix/ChromeXt#115 .
Could you please try the implement or provide a UserScript with @grant GM_cookie to test if your previously described idea works?

[ContrapunctusII]

Why are there no plans for GM_cookie to be included in the stable release?