What HTTP origin does GM_xmlhttpRequest have?
I want my app with a REST API to be accessible in different flavors:
From the same domain (use normal AJAX request here)
From another domain via script attached by site owner (CORS)
From another domain via userscript (GM_xmlhttprequest (?))
I want to limit the list of sites for my app to be accessible from by a
whitelist. I know how to do it with CORS but I'm not sure if it works with
GM_xmlhttprequest the same way since GM_xmlhttprequest does not require
the Origin header to be sent back from a server. I don't care for a client
but I still need to check on a server from which site the request was sent
and answer with something like {response:"site not supported"} if it isn't
in a whitelist. So, here is my question: when I run a userscript on some
webpage and make a GM_xmlhttprequest, can the server detect the origin?
No comments:
Post a Comment