2

Is there anyway to access a secure cookie from a Greasemonkey script?
I wrote script that uses the document.cookie.split function. It returns a list of cookies but it doesn't included the secure cookie(s).

Brock Adams
  • 90,639
  • 22
  • 233
  • 295
Hadi
  • 130
  • 2
  • 8
  • Does this answer your question? [How can I access and possibly modify a cookie with a userscript?](https://stackoverflow.com/questions/65749907/how-can-i-access-and-possibly-modify-a-cookie-with-a-userscript) – double-beep Nov 24 '21 at 16:55

1 Answers1

5

I'm guessing you really mean cookies with the HttpOnly attribute set. (See, also, Wikipedia for HttpOnly cookie.)
In that case, you cannot access these cookies from Greasemonkey because they are forbidden to JavaScript, and because Greasemonkey does not provide an alternate mechanism to see them.

You can try making a feature request, but I'm not optimistic about its reception. (Try anyway.)

Firefox add-ons, can work with these cookies, so you can fork the Greasemonkey source yourself or write a helper add-on (example) to get to these cookies.

If you mean cookies with the Secure attribute (Cookies that must be sent only over HTTPS), then I believe you can access those from injected code in the target page scope, but I'm not set up to test this at the moment. (The target page must be loaded over HTTPS and on the exact same domain as the cookies you want.)

Mark Amery
  • 143,130
  • 81
  • 406
  • 459
Brock Adams
  • 90,639
  • 22
  • 233
  • 295
  • 1
    i tested accessing document.cookie directly from the console, using `console.log(document.cookie)` and then accessing it via an injected script using the following code `text="console.log(document.cookie)" ;x=document.createElement('script');x.textContent=text;document.getElementsByTagName('head')[0].appendChild(x)` both methods produced identical results (neither method revealed the HTTP only cookies) – user280109 Oct 14 '17 at 13:15