GM_xmlhttpRequest can perform an ajax call that ignores the same origin policy.
I have checked the network panel in Chrome but I cannot find the XHR from GM_xmlhttpRequest in it. It just works.
I'd like to know what exactly happened and the reason why it works. Thank you.
Asked
Active
Viewed 6,102 times
6
Brock Adams
- 90,639
- 22
- 233
- 295
Andrew Zhang
- 115
- 1
- 5
1 Answers
10
Tampermonkey can do cross-origin ajax because it is an extension and extensions are trusted much more than some website's javascript. See "Referencing external resources" in the Chrome extension API.
Tampermonkey scripts operate in a privileged scope and GM_xmlhttpRequest was created specifically to wrap around a privileged XMLHttpRequest call.
To see the Tampermonkey XHR, you must inspect Tampermonkey's background page. You will see the userscript's XHR In the network panel there.
Brock Adams
- 90,639
- 22
- 233
- 295