WebExtension: XMLHttpRequest issues: No cookies or referrer *SOLVED*


I’m converting chrome extension to WebExtension. I have everything working except XMLHttpRequest. FF is not sending cookies or referrer (same domain). I’m guessing the cause is Xray? And is this the reason that relative urls for XMLHttpRequest fails because FF considers the content script to be its own domain?

I can work around this by writing a script to the page with createElement(“script”), append to head and using a href=“javascript:runThisFunction();” on a link. I know this is not the way it should be done. I have looked at this page. Does this apply in my case?

I’m in need of some guidance on the proper way to implement XMLHttpRequest with credentials for same domain requests. For now, I’m stuck. I’ll provide code on request.
Thanks in advance for any help given!

NOTE: My usage of “same domain” means sending a request to the same domain/page that the content script is loaded. If that wasn’t already clear… :wink:

(Noitidart) #2

Whoa this is interesting.

Are you doing the XHR from inside a content script on a page?

Or are you doing the XHR from the background page?

Either way I would expect the cookies to be there. I haven’t got to the XHR steps of my addon, does anyone know if cookies are available to XHR from background script, from content script? Does it need special permission in manifest.json?

(knowing when to give permission, and with what entry in the manifest, is a hard thing to find out, the only way I figure out is when I hit an unexpected block, I troubleshoot randomly and it usually ends up with some new key in the manifest)


Thanks for the interest noitidart. XHR from a content script. No background script loaded.
I too wonder if it is permission or manifest related. For the heck of it, I put “webNavigation” and “webRequest” in permissions with no joy. The “no cookie” is a killer for me, since my addon is site specific and without cookies, the site returns the login page (assumes logged out). I really hope someone has some info about this…

(Noitidart) #4

Try putting in <all_urls> it has fixed a lot of my problems. No idea why.


Sure, I’ll try.
No joy with <all_urls> set for content scripts and also permissions…

(Martin Giger) #6

Yes, you get the extension’s XMLHttpRequest and fetch within a content script. To get the one from the page, use window.wrappedJSObject.XMLHttpRequest, which then returns the version from the page, since wrappedJSObject waives the wrappers.


Thank you freaktechnik, for some hope!
Sadly, wrapping is new to me and I am quite cloudy regarding its usage. I tried many failed variations. The following is the code I’m using. All the commented lines are my failed attempts. The first commented line resulted in “Error: Permission denied to access object”. I did not record the errors for the other lines. I just know they did not work.

function loadXMLDoc(url, isXML, cfunc) {
   console.log("Sending Request to "+url);
   http=new XMLHttpRequest();
//   http=new window.wrappedJSObject.XMLHttpRequest();
//   http=window.wrappedJSObject.new XMLHttpRequest();
//   http=window.wrappedJSObject(new XMLHttpRequest());
//   http=new content.wrappedJSObject.XMLHttpRequest();
//   var htt=new XMLHttpRequest();
//   http=content.wrappedJSObject.htt;
//   http=content.wrappedJSObject.(new XMLHttpRequest());
//   http=new XMLHttpRequest().wrappedJSObject;
//   http=window.wrappedJSObject;
//   http=window.wrappedJSObject.http;
   http.open("GET", url, true);
   http.withCredentials = true;

Will you please expand a bit on what I need to do? Or point me to a good reference webpage? It really bothers me that I just “don’t get it”…

(Martin Giger) #8

As far as I understand it should be

const http = new XPCNativeWrapper(window.wrappedJSObject.XMLHttpRequest)();


Thank you! Well, it didn’t work as posted, but the following DID work!
Cookies and referrer sent confirmed. :relieved:

http = XPCNativeWrapper(new window.wrappedJSObject.XMLHttpRequest());

I will research this some more.
Thank you so much for the help! :slight_smile:

(Noitidart) #10

Is this XPCNativeWrapper thing same in Google Chrome and other browsers? How would we use cookies there? Can background script use cookies?


I don’t have any issues with normal XHR in Chrome. It sends cookies no
problem. It is only in FF that I need to wrap. Since I use the same content
script for both browsers, I just simply grab the correct object as needed…

function getXMLHttp(){
   try {
      return XPCNativeWrapper(new window.wrappedJSObject.XMLHttpRequest());
      return new XMLHttpRequest();

I’m sure there is a better method than try/catch but for now, this works
perfectly and the same code works in Chrome and FF.

(Martin Giger) #12

I’m told setting https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest/withCredentials could also solve your issue, as your request is treated as Cross-Origin and thus the property will dedault to false. This should work without the unwrapping & rewrapping.


Thank you. It’s a good idea, but it does not work.
I had already set withCredentials to true in all my previous testing. EDIT: See my failed code above.
No cookies or referrer were sent until I wrapped it (thanks to you).

Unwrapped: Relative URLs would fail as “invalid” string. Request not sent.
Unwrapped: Full URL would send, but no cookie or referrer sent (withCredentials=true ).
Wrapped: Everything normal…

(Matt) #14

You can avoid this by enabling 3rd-party cookies. Firefox disabled this by default many releases ago, and it broke many extensions that made XHR requests back to the site where the extension was running. I complained long ago, and said that extensions should be exempt from 3rd-party-cookie blocking, but apparently they decided not to do that.


Thanks, that is quite interesting… I did a quick test and you are correct. I enabled third-party cookies in FF and requests are sent correctly. But… relative URLs did not work. It must be the full URL.

I have always disabled third party cookies for as long as I can remember. I am sure I am not the only one… :wink: And if FF now disables third-party cookies by default, this means even more users that I am concerned about. Wrapping is working well for me. And I don’t need to tell users to enable third-party cookies in order for the extension to work. I’m quite sure you weren’t suggesting that. lol

Regardless, this is interesting info and good to know. I appreciate it. :slight_smile:
Would you happen to have links to any conversations about your complaint?

(Noitidart) #16

Here’s a bug SubDevo - https://bugzilla.mozilla.org/show_bug.cgi?id=1322113

(edcaron) #17

so, did you manage to do this? I’m also stuck on this issue and i’d like to know


Yes. In my add-on, I’m using what I posted earlier.
Same code for FF and Chrome version.

I just grab the correct object (for chrome or firefox) by calling the above function and use in place of XMLHttpRequest.

For example:

   var http=getXMLHttp();
   http.open("GET", url, true);