0

I'm building a greasemonkey script to make posting to craigslist a lot easier for our clients.

Basically the flow is this:

  1. User logs into our system (established authentication cookies with asp.net)
  2. User navigates to a section on our site called "CraigsList". If they have the greasemonkey script installed it automatically opens up craigslist in a new tab.
  3. The greasemonkey script then does a request back to our site at http://mysite.com/services.asmx/GetListings to retrieve a list of available items to be posted to craigslist.

This is where it fails because the request to http://mysite.com/services.asmx/GetListings is not including any of the authentication cookies. I'm not sure if it doesn't include the cookies because the request originates from craigslist.org and not mysite.com or what. I know it's an authentication issue because looking at it in fiddler it returns a 302 and redirects to the login page.

Here is my request:

$.ajax({
    url: "http://mysite.com/services.asmx/GetListings",
    dataType: "json",
    type: "post",
    error: function(request, status, error) {
        console.log("an error occurred getting the data");
    },
    success: function(data) {
        console.log("got the data!!!");
    }
});

Any advice would be appreciated.

Micah
  • 111,873
  • 86
  • 233
  • 325
  • 1
    This would, and I'm not really exaggerating, **break the internet**. Any site with cookie based sessions would be completely unsecured, phishing emails wouldn't even need you to login, they could just get your cookie and go. – Nick Craver Jun 09 '10 at 13:38
  • Good point. I hadn't really thought about it that way. Total security risk. What was I thinking. Although, what then is this for: http://stackoverflow.com/questions/2054316/jquery-sending-credentials-with-cross-domain-posts – Micah Jun 09 '10 at 13:45
  • That only passes *your* domain's cookies to the other domain...the user wouldn't have ever passed cookies you need to your domain in the first place :) – Nick Craver Jun 09 '10 at 14:10

1 Answers1

1

It would be an enormous security problem if there were a way for one domain to access browser cookies tagged with a different domain name. Maybe your Greasemonkey script can fish the cookies out of the browser's brain somehow, but if you're driving things by dropping code onto your page, the normal security rules are going to be enforced.

Pointy
  • 405,095
  • 59
  • 585
  • 614