I made a Firefox addon using the Greasemonkey script compiler at arantius.com/misc/greasemonkey/script-compiler. The addon gets data from my server and displays it on 3rd party websites. Now I want to restrict access to authenticated users only. What is the best way to do this?
The users have an acount on my website (made with Drupal 7), which sets a session-cookie on login. So I tried to get my addon to read the session-cookie, send it to the backend, which then checks the login state.
But since the javascript of my 开发者_高级运维addon runs in the scope of the 3rd party website, it's not allowed to access my cookie. I get this error:
Error: <http://de.wikipedia.org> wurde die Erlaubnis für das Lesen der Eigenschaft XPCComponents.classes verweigert.
(en: "Error: wikipedia was not allowed to read the property XPCComponents.classes")
Dispite security concerns I tried to use unsafeWindow, but the code still fails:
try {
unsafeWindow.netscape.security.PrivilegeManager
.enablePrivilege('UniversalXPConnect');
var cookieMgr = Components.classes["@mozilla.org/cookiemanager;1"]
.getService(Components.interfaces.nsICookieManager);
}
catch (errorInfo)
{
alert(errorInfo);
}
I know now that cross domain cookies are not supposed to be possible. But how can I get around this? How do other addons do authentication (e.g. Delicious Bookmarks, StumbleUpon and so many others).
Any hints or pointers would be very much appreciated.
Use GM_xmlhttpRequest to request the login state at your website?
As an alternative you can also use GM_setValue/GM_getValue to store the login status.
精彩评论