search

Tampermonkey / tampermonkey

Tampermonkey is the most popular userscript manager, with over 10 million users. It's available for Chrome, Microsoft Edge, Safari, Opera Next, and Firefox.
GNU General Public License v3.0
4.15k stars 415 forks source link

validation token sent with GM.xmlHttpRequest is wrong in firefox private mode #1782

Open Dediggefedde opened 1 year ago

Dediggefedde commented 1 year ago

Expected Behavior

On deviantart.com a userscripts replicates a web request to their API. They use a csrf-token sent as a parameter in a GET request to validate the source. I use a simple call to GM.xmlHttpRequest in order to fetch information.

The variable token is the csrf-token and is fetched from the website from an input element shortly beforehand. The final URL is the exact same as the website generates itself. In normal cases, the request is successful in most browsers, and the csrf-token is valid. Then the response contains data (in this case, a list of a user's favorite submissions) that can be processed.

GM.xmlHttpRequest({
    method: "GET",
    url: `https://www.deviantart.com/_napi/shared_api/gallection/contents?username=${username}&type=collection&folderid=${folderid}&offset=${offset}&limit=60&mature_content=true&${folderid==-1?"all_folder=true&":""}csrf_token=${token}`,
    //url simplified: `https://www.deviantart.com/_napi/contents?csrf_token=${token}`
    onerror: function(response) {
        reject("request failed:", response);
    },
    onload: function(response) {
        //... do things with response
        console.log(response);
    }
});

Actual Behavior

When in Firefox's private mode, the csrf-token is always invalid. Requests from the website itself with the same token are valid, though. If I expand the console entry and copy the "final URL" of the GM.xmlHttpRequest into a new private Firefox tab, the token is also valid! Only in the GM.xmlHttpRequest itself is the token invalid for some reason.

I read that there was a problem in the past where GM.xmlHttpRequest would use the non-private cookie container. Could that be related to this issue? Can the Cookie container be somehow enforced? Is there an option related to Firefox's private mode that I can use to modify the request?

The token is valid in Google Chrome's private mode. Just not in the one of Firefox.

Specifications

The problem occurs in Firefox 113.0.1 and Tampermonkey 4.18.1. I use Windows 10 Build 19045.2965.

derjanb commented 1 year ago

Just to be sure: Have you tried Tampermonkey BETA 4.19.6181 from here -> http://tmnk.net/?browser=firefox

Dediggefedde commented 1 year ago

Just to be sure: Have you tried Tampermonkey BETA 4.19.6181 from here -> http://tmnk.net/?browser=firefox

I just tried, but I get the same behavior on Tampermonkey Beta 4.19.6181. Also, on Firefox 113.0.2.