Few remarks on the implement of GM_xmlhttpRequest

[WhiteSevs]

1. 希望不使用fetch来实现GM_xmlhttpRequest，因为有时候同源请求需要设置headers的User-Agent时，也是属于跨域了，使用fetch的话不会生效该User-Agent；
2. 提高兼容性，当method为GET时，如果details中存在data键，那么设置把method为POST，不然https://github.com/JingMatrix/ChromeXt/blob/master/app/src/main/assets/GM.js的第381行会报错

request = new Request(details.url, {
        cache: "force-cache",
        body: details.data, // 会报错
        ...details,
});

3. GM_cookie未实现，希望可以在脚本环境中删除该API，在·TamperMonkey·中的GM_cookie是ojbect类型；
4. 是否考虑在iframe内注入？webview可以hook接口shouldInterceptRequest，参数WebResourceRequest 对它返回的html进行修改加入js；
5. GM_xmlhttpRequest似乎并没有对请求自动加入Cookie，比如我对一个api进行请求登录，返回的headers里有Cookie信息，后续的同域名请求并没有把Cookie加进去；

[JingMatrix]

Thanks for your interest in ChromeXt and valuable suggestions given here.

Your first two points are now implemented in 90ceb88. However, I shall keep using the fetch API since it can save the network-traffic when a UserScript is trying to get response data of current page resources. Moreover, it is faster than the Java native implement since there is a data conversion layer between Java and JavaScript.

For the third point, I shall add it to the dev plan and implement it soon.

For the fourth point, it is not an easy task for chromium based browsers, so it has lower priority in my plan. A possible implement requires CDP. Everyone is welcome to contribute to this part. Please refer to the following codes if you are interested:

ChromeXt/app/src/main/java/org/matrix/chromext/devtools/WebSocketClient.kt

Lines 70 to 76 in 90ceb88

	fun bypassCSP(bypass: Boolean) {
	if (cspBypassed == bypass) return
	command(null, "Page.enable", JSONObject())
	command(null, "Page.setBypassCSP", JSONObject().put("enabled", bypass))
	cspBypassed = bypass
	if (bypass) DevSessions.add(this)
	}

For the fifth point, I personally think that it is the responsibility of the UserScript to handle the relevant Cookie headers. This is simply because that my implement of GM_xmlhttpRequest is stateless: no data of previous responses are stored anywhere.

[WhiteSevs]

关于第一点，不光User-Agent，还有设置Referer、Host、Origin有时候也很重要的，不知道使用fetch能不能设置
我曾在代码中使用jQuery的$.ajax来代替过GM_xmlhttpRequest

let headers_options_key = [
          "Accept-Charset",
          "Accept-Encoding",
          "Access-Control-Request-Headers",
          "Access-Control-Request-Method",
          "Connection",
          "Content-Length",
          "Cookie",
          "Cookie2",
          "Date",
          "DNT",
          "Expect",
          "Host",
          "Keep-Alive",
          "Origin",
          "Referer",
          "TE",
          "Trailer",
          "Transfer-Encoding",
          "Upgrade",
          "User-Agent",
          "Via",
        ]

[WhiteSevs]

Thanks for your interest in ChromeXt and valuable suggestions given here.

Your first two points are now implemented in 90ceb88. However, I shall keep using the fetch API since it can save the network-traffic when a UserScript is trying to get response data of current page resources. Moreover, it is faster than the Java native implement since there is a data conversion layer between Java and JavaScript.

For the third point, I shall add it to the dev plan and implement it soon.

For the fourth point, it is not an easy task for chromium based browsers, so it has lower priority in my plan. A possible implement requires CDP. Everyone is welcome to contribute to this part. Please refer to the following codes if you are interested:

ChromeXt/app/src/main/java/org/matrix/chromext/devtools/WebSocketClient.kt

Lines 70 to 76 in 90ceb88

	fun bypassCSP(bypass: Boolean) {
	if (cspBypassed == bypass) return
	command(null, "Page.enable", JSONObject())
	command(null, "Page.setBypassCSP", JSONObject().put("enabled", bypass))
	cspBypassed = bypass
	if (bypass) DevSessions.add(this)
	}

For the fifth point, I personally think that it is the responsibility of the UserScript to handle the relevant Cookie headers. This is simply because that my implement of GM_xmlhttpRequest is stateless: no data of previous responses are stored anywhere.

感谢修复，待会儿会去试一下最新版

[JingMatrix]

There is a chroimum bug tracker for the User-Agent issue.
A priori, we are not sure which headers are not effective in the fetch API of chromium. Hence, I'd suggest that we change the condition for fetch API when new related bugs are reported.
Currently, in your UserScript, are there other headers must be changed?

[WhiteSevs]

There is a chroimum bug tracker for the issue. A priori, we are not sure which headers are not effective in the API of chromium. Hence, I'd suggest that we change the condition for API when new related bugs are reported. Currently, in your UserScript, are there other headers must be changed?User-Agent``fetch``fetch

搜集了一下，我的脚本目前使用的headers有

Accept
Authorization
Accept-Encoding
Accept-Language
Content-Type
Host
Origin
Pragma
Referer
x-csrf-token
X-Requested-With

另外关于这个有些建议90ceb88237行，对details.headers中的key进行小写/大写转换判断，因为可能会有不规范写法，如user-agent或者user-Agent又或者uSer-aGent

[JingMatrix]

Now ChromeXt will take all forbidden headers listed on MDN into consideration.
Moreover, you can specify the forceCORS option, see b7b023e .

No worry about the upper or lower spelling cases of the header keys, the Headers API of JavaScript can take care of them automatically.

[WhiteSevs]

刚刚发现一个新bug，当用户的details.responseType期望为json时，此刻的返回的response.responseText内其实是html，这时候会解析失败

[JingMatrix]

Could you give an exmaplar URL for the above bug? Maybe you missed a content-type header.

[WhiteSevs]

https://up.woozooo.com/mlogin.php
用于蓝奏云网盘登录
👇是details结构

[JingMatrix]

I cannot reproduce it using cURL.
Even without any specific headers, the response is still a JSON string:

curl -v 'https://up.woozooo.com/mlogin.php' --data-raw 'task=3&uid=jingmatrix%40gmail.com&pwd=test&setSessionId=&setSig=&setScene=&setToken=&formhash=ab2489d6'

The Java implement of GM_xmlhttpRequest should be the same as cURL.
Could you also show the response data? Maybe you can expand the promise, and find the response data.

[WhiteSevs]

我使用TamperMonkey的请求复现了一下，reponseText并不是json而是html，它的response直接为undefined

[JingMatrix]

The finalUrl indicates that your request didn't follow the redirect correctly. You may retry with the URL https://up.woozooo.com/mlogin.php.

If TamperMonkey cannot response JSON data, then it seems not to be a bug of script manager.

[WhiteSevs]

该请求为302重定向跳转到了https://up.woozooo.com/myfile.php，导致了response.responseText内容应该是json变成了html，
·TamperMonkey·对response.reponse做的处理是不进行JSON.parse，ChromeXt也需要在上面进行兼容性处理，不然ChromeXt的data.response = JSON.parse(data.responseText);就会执行失败导致无法调用脚本的onloadCallBack

刚刚发现一个新bug，当用户的期望为时，此刻的返回的内其实是，这时候会解析失败details.responseType``json``response.responseText``html

[JingMatrix]

It is wired about the redirection, because cURL tells me that https://up.woozooo.com/myfile.php redirects to ./mlogin.php, but you claimed the reverse.

I think when you specify responseType, you are expecting a JSON reponse. And if such response is not available, an error should be thrown.
Hence, I will reject the Promise (after catching it in JSON.parse) with unparsed response. Do you think it is more reasonable?

[WhiteSevs]

很合理，但是如果resolve的话兼容性会更好一些

It is wired about the redirection, because cURL tells me that https://up.woozooo.com/myfile.php redirects to ./mlogin.php, but you claimed the reverse.

I think when you specify responseType, you are expecting a JSON reponse. And if such response is not available, an error should be thrown. Hence, I will reject the Promise (after catching it in JSON.parse) with unparsed response. Do you think it is more reasonable?

[JingMatrix]

In the commit aba8e9d, I throw the parsing error out. Please tell me if this solution is acceptable for you. I think that unless you are using the async version GM.xmlHttpRequest, your code won't stop when there is a promise error.

Also, I implemented the basic APIs of GM_cookie in 567dcdd, but I am not very familar with the usage case of it. Could you please give some usage scenarios? So that I am more aware of what kind of functionalities should be included.

[JingMatrix]

For your fifth point, I found a way to implement it in Java.

Now the anonymous options fully control if the HTTP requests are stateless.

[WhiteSevs]

In the commit aba8e9d, I throw the parsing error out. Please tell me if this solution is acceptable for you. I think that unless you are using the async version GM.xmlHttpRequest, your code won't stop when there is a promise error.

Also, I implemented the basic APIs of GM_cookie in 567dcdd, but I am not very familar with the usage case of it. Could you please give some usage scenarios? So that I am more aware of what kind of functionalities should be included.

1. 试了一下相较之前的并没太大区别，虽然在ChromeXt内抛出了JSON.parse错误，但是脚本的onload并未触发，我删除了自己脚本的responseType: "json"，自己在onload返回内对response.responseText进行了处理。
2. 下面是一些我使用的GM_cookie的例子

// 用来获取用户是否登录的Cookie，该Cookie是HttpOnly，document.cookie无法获取到
function getCookie(cookieName) {
        return new Promise((resolve) => {
          GM_cookie.list({ name: cookieName }, function (cookies, error) {
            if (error) {
              resolve(null);
            } else {
              if (cookies.length == 0) {
                resolve(null);
              } else {
                resolve(cookies[0].value);
              }
            }
          });
        });
      }

await getCookie("userLogin")

[WhiteSevs]

我又找到一个关于response.responseText编码问题

GM_xmlhttpRequest({
    url:"https://tieba.baidu.com/f/search/res?isnew=1&kw=%C4%E6%CB%AE%BA%AE%CA%D6%D3%CE&qw=%CE%E8%D1%F4%B3%C7&un=&rn=10&pn=0&sd=&ed=&sm=1",
    method:"get",
    headers: {
    Referer: "https://tieba.baidu.com/f?ie=utf-8&kw=%E9%80%86%E6%B0%B4%E5%AF%92%E6%89%8B%E6%B8%B8",
    Host: "tieba.baidu.com",
    Accept:
      "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
  },
  responseType: "html",
    onload:(resp)=>{console.log(resp)}
})

在TamperMonkey中正常解码👇

在ChromeXt中乱码👇

猜测是content-type: text/html; charset=GBK的缘故？

[JingMatrix]

Thanks for the feedbacks!

1. Now parsing error won't block onload.
2. To get httpOnly cookie, I should use CDP. This can be done later.
3. You are right, I was assuming UTF-8 encoding. Should be fixed soon.

[WhiteSevs]

Thanks for the feedbacks!

1. Now parsing error won't block onload.
2. To get httpOnly cookie, I should use CDP. This can be done later.
3. You are right, I was assuming UTF-8 encoding. Should be fixed soon.

关于第2点，我在TamperMonkey中测试了一下，当我在headers里设置了{cookie:"xxxxxxx"}，它会自动将属于该domain的为HttpOnly的Cookie自动添加到Cookie前面
例如，当前domain下的cookie有

key	value	domain	path	expires	...	HttpOnly
github_test	1	github.com	/	....
github_test2	2	github.com	/	....		√

// 我设置的cookie

headers: {
  "user-agent":".....",
   cookie: "github_test=1;",
}

发出去的Cookie会变成
Cookie: github_test2=2;github_test=1
也就是，Cookie前面的是当前的，后面的属于用户设置的。
当我尝试通过抓包通过lspatch打包的ChromeXt时，发现请求头存在多个Cookie键，且我设置的Cookie是小写的cookie

[JingMatrix]

httpOnly cookie is not supported yet, but will be done soon. Once it is implemented, httpOnly cookie headers will be appended.
As for the given screenshot, is it a CORS request?
Could you please describe what should be the expected behavior?
If I am correct, in the API, cookie should be set as a property of details instead of headers.

[WhiteSevs]

httpOnly cookie is not supported yet, but will be done soon. Once it is implemented, httpOnly cookie headers will be appended. As for the given screenshot, is it a CORS request? Could you please describe what should be the expected behavior? If I am correct, in the API, cookie should be set as a property of details instead of headers.

对，是跨域请求，修改了user-agent，该请求的作用是发送一个签到请求，需要Cookie验证当前身份是否和url中的formhash匹配，cookie确实应该是放在details中而非headers内，等后面实现HttpOnly我再试试，现在的话我发送签到请求返回内容会是验证身份失败

[JingMatrix]

Now httpOnly support is implemented. Please test it and share your feedbacks! 😃

[WhiteSevs]

Now httpOnly support is implemented. Please test it and share your feedbacks! 😃

我尝试了一下最新的https://github.com/JingMatrix/ChromeXt/actions/runs/6228644262，似乎有严重的问题，GM_xmlhttpRequest的请求不触发任何回调

[JingMatrix]

Cannot reproduce your issue, in my devices,

GM_xmlhttpRequest({
    url: "https://bbs.binmt.cc/k_misign-sign.html?operation=qiandao&format=button&formhash=TESTHASHVALUE&inajax=1&ajaxtarget=midaben_sign",
    onload: (r)=>console.log(r.response),
    onerror: (r)=>console.log(r),
    timeout: 5000,
    forceCORS: true
})

returns a response with 您当前的访问请求当中含有非法字符，已经被系统拒绝.

[WhiteSevs]

Cannot reproduce your issue, in my devices,

GM_xmlhttpRequest({
    url: "https://bbs.binmt.cc/k_misign-sign.html?operation=qiandao&format=button&formhash=TESTHASHVALUE&inajax=1&ajaxtarget=midaben_sign",
    onload: (r)=>console.log(r.response),
    onerror: (r)=>console.log(r),
    timeout: 5000,
    forceCORS: true
})

returns a response with 您当前的访问请求当中含有非法字符，已经被系统拒绝.

使用这个仍是未触发，GM_bridge.GM_xmlhttpRequest使用的是这个调试https://greasyfork.org/zh-CN/scripts/475424-%E8%B0%83%E8%AF%95

QQ2023919-162632-HD.mp4

[JingMatrix]

The re-implement of GM_cookie is done.
Now, it should work in the same way as TamperMonkey.

[JingMatrix]

@WhiteSevs Did you succeed to run your script with the latest commits of ChromeXt? I am planning to release a new version of ChromeXt this weekend. If you find no errors, please drop a message here. Also, this issue will be closed after that.

[WhiteSevs]

@WhiteSevs Did you succeed to run your script with the latest commits of ChromeXt? I am planning to release a new version of ChromeXt this weekend. If you find no errors, please drop a message here. Also, this issue will be closed after that.

ok，现在基本上除了那些需要跨域登录的操作都没问题了

[JingMatrix]

CORS login should be working now. Did you still fail to do that?

[WhiteSevs]

CORS login should be working now. Did you still fail to do that?

Yes，抓包看登录请求成功后301重定向，该重定向请求并没有携带Cookie👉KEEP_LOGIN

[JingMatrix]

If you receive the 301 redirection, the cookie won't be sent according to this explanation. You should change your request URL to the redirected one and try again.

[WhiteSevs]

If you receive the 301 redirection, the cookie won't be sent according to this explanation. You should change your request URL to the redirected one and try again.

在ChromeXt中设置redirect: "manual"可以正常，但是在TamperMonkey中得需要继续请求https://www.z4a.net/来判断是已经否登录，这样的话，我就不考虑增加redirect: "manual"了。
在上传图片时出现错误👇

[JingMatrix]

Currently in ChromeXt, redirect: "manual" is the same as redirect: "follow", there should be no difference.
Could you give the details of you URL request? I may try it on my side.
500 error means the error is not in the client side.

[WhiteSevs]

登录👇

// token可以在www.z4a.net页面HTML中搜索到 => PF.obj.config.auth_token
GM_xmlhttpRequest({
    url:"https://www.z4a.net/login",
    method:"POST",
    redirect: "manual",
    data: `login-subject=${user}&password=${pwd}&auth_token=${xxxxx}`,
    headers: {
              "User-Agent": GM_bridge.Utils.getRandomPCUA(),
            },
    onload:(r)=>{console.log(r)},
    onerror:(r)=>{console.log(r)}
})

上传图片👇，imageFile是input内的图片文件File

let form = new FormData();
form.append("type", "file");
form.append("action", "upload");
form.append("timestamp", new Date().getTime());
form.append("auth_token", auth_token);
form.append("nsfw", 0);
form.append("source", imageFile);
GM_xmlhttpRequest({
    url: `https://www.z4a.net/json`,
    method: "POST",
    data: form,
    async: false,
    headers: {
      Accept: "application/json",
      "User-Agent": utils.getRandomPCUA(),
      Referer: `https://www.z4a.net/`,
      Origin: "https://www.z4a.net",
    },
    onload:(r)=>{console.log(r)},
    onerror:(r)=>{console.log(r)}
})

[JingMatrix]

Okay, I see. That is because I didn't process FormData in GM_xmlhttpRequest yet. This will be done soon. It seems not to be a problem of cookie.

[WhiteSevs]

对，但是上传的前一个步骤是先登录，那个步骤有重定向Cookie问题

[JingMatrix]

@WhiteSevs I have tested another website https://imgse.com/, the uploding is working well with the latest commit of ChromeXt.

[JingMatrix]

@WhiteSevs Did you try the cookie login again?
I am about to publish a new release of ChromeXt today. Currently, at least on my devices, it is working.

[WhiteSevs]

@WhiteSevs Did you try the cookie login again? I am about to publish a new release of ChromeXt today. Currently, at least on my devices, it is working.

貌似有点问题，在登录时返回的responseText内没有内容

[JingMatrix]

That is because the default value for redirect is manual, and the status is 301.
You will see some response if you set it to follow.
This redirection is not important regarding to login.

[WhiteSevs]

That is because the default value for redirect is manual, and the status is 301. You will see some response if you set it to follow. This redirection is not important regarding to login.

在TamperMonkey中，redirect默认为follow,我刚刚试了下，在ChromeXt中设置redirect: follow有这么个错误
设置manual的话和TamperMonkey中没啥大区别，可惜是用不到manual，基本使用默认的follow且它的返回statue为200，responseText内有内容

[JingMatrix]

Do you need the response for your script? If not, you can safely ignore it for a while.
I will change the code for redirection later.
How about the upload? Did it work as expected?

[WhiteSevs]

是的，我脚本中有段是根据这个responseText内容来判断是否已成功登录，这个报错很奇怪，我是用的登录，并没有使用上传

[JingMatrix]

I have changed the default value of redirect to be follow.
Note that in ChromeXt, you can use the onredirect parameter to listen for the redirect event.

[WhiteSevs]

奇怪，最新的版本无法进行图床登录，上个版本我测试了下还可以进行登录且上传图片

[JingMatrix]

Cannot reproduce on my phone. I tested with the following code, and it worked as expected.

let url = "https://imgse.com/";

async function get_token() {
  const html = await GM_bridge.GM_xmlhttpRequest({ url, forceCORS: true });
  return html.match(/PF.obj.config.auth_token = "(\w+)"/)[1];
}

function login(
  auth_token = PF.obj.config.auth_token,
  redirect = "follow",
  nocache = true
) {
  const form = new FormData();
  form.append("login-subject", user);
  form.append("password", pwd);
  form.append("auth_token", auth_token);
  return GM_bridge.GM_xmlhttpRequest({
    url: url + "login",
    method: "POST",
    redirect,
    nocache,
    onredirect: (xhr) => console.log(xhr),
    data: form,
    onload: (xhr) => console.log(xhr.status),
  });
}

function createForm() {
  if (document.querySelector("#chromext")) return;
  const input = document.createElement("input");
  input.setAttribute("type", "file");
  input.setAttribute("accept", "image/*");
  input.id = "chromext";
  document.body.prepend(input);
  return input;
}

function upload(auth_token = PF.obj.config.auth_token, putFile = true) {
  input = document.querySelector("#chromext");
  if (putFile && typeof input.files[0] == "undefined") {
    console.warn("No file chosen yet");
  }
  const form = new FormData();
  form.append("type", "file");
  form.append("action", "upload");
  form.append("timestamp", new Date().getTime());
  if (putFile) form.append("source", input.files[0]);
  form.append("auth_token", auth_token);
  form.append("nsfw", 0);
  GM_bridge.GM_xmlhttpRequest({
    responseType: "json",
    url: url + "json",
    method: "POST",
    data: form,
    timeout: 30000,
    onload: (xhr) => console.log(xhr.response),
  });
}

function test() {
  const promise = get_token().then((token) => {
    console.log("Auth_token:", token);
    login(token);
  });
  createForm();
  return promise;
}

You run it with test() and then upload(token) with the token given in the console.

[WhiteSevs]

imgse.com倒是可以，在测试z4a.net登录时，发现没加redirect: "follow"登录会失败，然后加上后，就登录成功了，再刷新DevTools，上传功能就正常了

[JingMatrix]

Even with z4a.net, it is not reproducible on my device.
It is most likely to be a caching issue, or your traffic is somehow blocked by z4a.net.
To avoid such mistakes, please ensure to restart your browser each time when you test it.

This will not be considered as a bug. If you are Okay with that, please close the issue.

[WhiteSevs]

OK，删除脚本后重新安装了下，第一次登录失败，第二次登录成功且上传图片完毕，应该是这个图床网站的问题