GM_xmlhttpRequest can perform an ajax call that ignores the same origin policy.
I have checked the network panel in Chrome but I cannot find the XHR from GM_xmlhttpRequest in it. It just works.
I'd like to know what exactly happened and the reason why it works. Thank you.
Asked
Active
Viewed 4,144 times
4
Brock Adams
- 86,878
- 22
- 220
- 282
Andrew Zhang
- 95
- 1
- 5
1 Answers
8
Tampermonkey can do cross-origin ajax because it is an extension and extensions are trusted much more than some website's javascript. See "Referencing external resources" in the Chrome extension API.
Tampermonkey scripts operate in a privileged scope and GM_xmlhttpRequest was created specifically to wrap around a privileged XMLHttpRequest call.
To see the Tampermonkey XHR, you must inspect Tampermonkey's background page. You will see the userscript's XHR In the network panel there.
Brock Adams
- 86,878
- 22
- 220
- 282
-
Thank you for the explanation Brock, this is exactly what I want to know. – Andrew Zhang Feb 05 '18 at 06:09