search

Tampermonkey / tampermonkey

Tampermonkey is the most popular userscript manager, with over 10 million users. It's available for Chrome, Microsoft Edge, Safari, Opera Next, and Firefox.
GNU General Public License v3.0
4.18k stars 417 forks source link

GM_xmlhttpRequest No Longer Sending Basic Auth in Chrome #1221

Closed septies434r closed 3 years ago

septies434r commented 3 years ago

Expected Behavior

GM_xmlhttpRequest to support basic auth user/password or username/password arguments. Until recently this was working fine but seems to have been broken by a recent Tampermonky or Chrome update.

Actual Behavior

Sever returns 401 and examination of the request shows no "Authorization" line in the request headers.

Workaround

Manually adding the "Authorization" line to the request headers works as expected.

Specifications

Script

Visit tristanhammat.com.au with this userscript enabled and it will test a basic auth GM_xmlhttpRequest and print the result in the browser console and also in the console embedded in the webpage itself. If you would like to test the workaround uncomment the "headers" line.

// ==UserScript==
// @name         GM_xmlhttpRequest Authentication Test
// @namespace    http://tampermonkey.net/
// @version      1.0
// @description  This will show the outcome of an GM_xmlhttpRequest authentication test.
// @author       You
// @match        *://tristanhammat.com.au/*
// @grant        GM_xmlhttpRequest
// ==/UserScript==

let USERNAME = "test";
let PASSWORD = "test";
let REQUEST_URL = "https://tristanhammat.com.au/projects/GM_xmlhttpRequestAuthTest/test.txt"

GM_xmlhttpRequest({
    "method": "GET",
    "url": REQUEST_URL,
    "username": USERNAME,
    "password": PASSWORD,
    // Uncomment the line below to see the workaround in action.
    //"headers": { "Authorization": "Basic " + btoa(`${USERNAME}:${PASSWORD}`)},
    "onload": function(xmlhttp) {
        let result = null;
        if(xmlhttp.status == 200) {
            result = `GM_xmlhttpRequestrequest succeeded with response: ${xmlhttp.responseText}`;
        }
        else {
            result = `GM_xmlhttpRequestrequest failed with status ${xmlhttp.status}`;
        }
        console.log(result);
        document.querySelector(".console").innerHTML = result;
    }
});
7nik commented 3 years ago

Btw, maybe it'd better use the user field in docs instead of username for better compatibility with other script managers (e.g., GM and VM). Anyway, TM was supporting the user field too.

septies434r commented 3 years ago

Btw, maybe it'd better use the user field in docs instead of username for better compatibility with other script managers (e.g., GM and VM). Anyway, TM was supporting the user field too.

Yes, good point! I was actually using user in a number of scripts when this issue started. I ended up switching to username while debugging this issue as the Tampermonky documentation for GM_xmlhttpRequest only mentions username and not user and I wanted to test if the support for user had been deprecated.

derjanb commented 3 years ago

Until recently this was working fine

Will be fixed at the next beta release.

Btw, maybe it'd better use the user field in docs

I fixed the documentation. Thanks.

septies434r commented 3 years ago

Will be fixed at the next beta release.

I fixed the documentation. Thanks.

Wow, that is some fast work! Impressive.

KaiDrolop commented 3 years ago

Hello,

Same here, since I updated chrome it doesn't longer work.

GM.xmlHttpRequest({
  method: "GET",
  url: "/api/28/api_global_rankings/view/0/1",
  headers: {
    "User-Agent": "Chrome/83.0.4103.116",    // If not specified, navigator.userAgent will be used.
    "Accept": "text/xml"            // If not specified, browser defaults will be used.
  },
  onload: function(response) {
    var responseXML = null;
    // Inject responseXML into existing Object (only appropriate for XML content).
    if (!response.responseXML) {
      responseXML = new DOMParser()
        .parseFromString(response.responseText, "text/xml");
    }
var data = JSON.parse(response.responseText);

Before it used to work and now it doesn't, is it a problem from my code or from tampermonkey ?

image

7nik commented 3 years ago

@KaiDrolop

  1. your example even isn't complete, at least it lacks closing brackets.
  2. it works for me if I close brackets.
  3. it's stupid to parse the response as both JSON and XML, the response can be only one of them.
  4. there is no reason to use GM.XHR for requests to the current site, unless you really need something like a custom User-Agent header - use fetch or browser's XHR instead.
derjanb commented 3 years ago

Sever returns 401 and examination of the request shows no "Authorization" line in the request headers.

Should be fixed at latest BETA version 4.13.6136