GM_xmlhttpRequest's Set-Cookie header overwrites cookies

What is the problem?

After running the GM_xmlhttpRequest, the cookie is overwritten when the server returns the Set-Cookie header.

How to reproduce it?

This bug can only be reproduce through the Chrome

1. User logs in to hello.example.com
2. hello.example.com returns Set-Cookie: PHPSESSID=20dxxx; path=/; domain=.example.com

3. // Getting data from the difference
   GM_xmlhttpRequest({
     url: 'https://world.example.com',
     anonymous: true,
     onload: () => console.log('do something cool')
   })

4. world.example.com returns Set-Cookie: PHPSESSID=5faxxx; path=/; domain=.example.com
5. PHPSESSID for .example.com is now 5faxxx

What is the expected result?

Completely ignoring Set-Cookie header

What is the actual result?

Set-Cookie overwrites cookies

Environment

• Browser: Chrome
• Browser version: 78.0.3904.108
• Violentmonkey version: 2.12.4
• OS: Windows 10

[tophf]

The only thing anonymous: true does is prevent sending cookies. It shouldn't prevent cookies to be received at least this is not mentioned in the documentation of VM, TM, and GM. I don't have any personal preference though so please test what happens in Tampermonkey and then we'll decide what to do.

I just tested my codes with TM and there was no problem with Set-Cookie and it doesn't overwrite cookies. This seems to be a problem for VM.

[tophf]

Hmm, I'm not sure this is a bug in Violentmonkey: why does that site set the header for a cross-origin request with Sec-Fetch-Mode: cors header that doesn't have withCredentials: true? I'm not an expert on cookies so I'd say it looks like a buggy server. Can you demonstrate this problem on a real (and preferably popular) site?

Actually that's because requests from extensions that have URL permissions are handled by the browser differently, not like a standard cross-origin request.

  GM_xmlhttpRequest({
    url: 'https://m.dcinside.com/board/aoegame?page=1',
    headers: {
      cookie: 'PHPSESSID=1',
      'user-agent': 'Mozilla/5.0 (Android 7.0; Mobile)'
    }
  })

Problem solved. kind of. the Set-Cookie header was returned only when PHPSESSID cookie is not provided. so I sent a fake PHPSESSID cookie and now it's working fine. long story short, it was a server's fault. but I think the issue is still valid.

I wanted to get a list of posts and parse them. but the site has rate-limit. however, there is no rate-limit on the mobile-only page. so I tried to get a mobile page.

On the desktop page, the session(PHPSESSID) value required for user login, is sent with the HttpOnly flag. but on the mobile page, a new session key is created and sent to Set-Cookie if the user requests it without a PHPSESSID. because there was a httpOnly flag, it was not sent and the session key was continuously generated.

It's not necessary but here's server urls (it's all in Korean):

• Desktop page
• Desktop login page
  Entering anything will generate a session key.
• Mobile page (needs mobile user-agent to open)

Back to the issue. I think the Set-Cookie received by GM_xmlhttpRequest with no additional option should be ignored. Tampermonkey works like that.

[tophf]

I think the Set-Cookie received by GM_xmlhttpRequest with no additional option should be ignored. Tampermonkey works like that.

You're right, apparently.

[Ocrosoft]

I think the Set-Cookie received by GM_xmlhttpRequest with no additional option should be ignored. Tampermonkey works like that.

You're right, apparently.

It seems this fix was broken? I tried the following script.
`
// ==UserScript==
// @name New script
// @namespace Violentmonkey Scripts
// @match https://www.pixiv.net/
// @grant none
// @Version 1.0
// @author -
// @description 2023/1/18 14:59:32
// @grant GM_xmlhttpRequest
// ==/UserScript==

GM_xmlhttpRequest({
url: 'https://pixiv.net',
method: 'GET',
anonymous: true,
storeId: null,
onload: (data)=>{console.log(data);},
});
`
The problem may be the call to setCookieInStore at: file requests-core.js line 81.(I'm not sure, I have no enviroment to debug this extension...)