-1

I am loading a file like:

firefox my.html

In the my.html I have

<script type="text/javascript" src="some.js"></script>

In a separate tab I am logged in at mysite.com

How could I make a GET request in some.js that accesses urls available only for logged in users at mysite.com. (The log in is session based with a cookie)

kmitov
  • 1,243
  • 3
  • 11
  • 25
  • 1
    Hopefully you can't, because that would break the entire internet. – deceze Aug 16 '17 at 09:12
  • it is unclear what you are trying to achieve – xGeo Aug 16 '17 at 09:12
  • Well I did and it did not break the Internet. It is quite straighforward, but just with a lot of options. – kmitov Aug 17 '17 at 21:25
  • Also - yes, it is unclear because the setup is quite complex and I've tried to minimize it to a very specific example, but the idea is to be able to run a script locally from filesystem only if you are currently logged in at a specific site. – kmitov Aug 17 '17 at 21:27

1 Answers1

1

Your question is somewhat broad, and the various bits of it are mostly covered by other questions. The only part I couldn't find an explicit duplicate for is the sending of cookies. So the three steps you need to take are:

  1. Use XMLHttpRequest as described in this question
  2. Use withCredentials by setting xhr.withCredentials = true so that cookies are sent.
  3. Configure mysite.com to grant permission to the site triggering the request using CORS as described in this answer
Quentin
  • 914,110
  • 126
  • 1,211
  • 1,335
  • 3. Permissions are granted for CORS. Working on 1 and 2 – kmitov Aug 16 '17 at 10:06
  • It is working to the point that it is sending the correct request, but the response is empty when the XMLHttpRequest is used... – kmitov Aug 16 '17 at 10:38
  • How are you determining that the response is empty? – Quentin Aug 16 '17 at 10:41
  • looking at xmlHttp.responseText – kmitov Aug 16 '17 at 10:42
  • Probably looking at it at the wrong time. You need a [mcve](https://stackoverflow.com/questions/45709482/local-js-to-use-the-session-from-another-tab/45709700?noredirect=1#). Probably in a new question. – Quentin Aug 16 '17 at 10:43
  • found it. I should have added - access-control-allow-credentials "true" in the CORS. That one was missing – kmitov Aug 16 '17 at 10:50