Load remote file in extension by lucka-me · Pull Request #112 · quoid/userscripts · GitHub
Skip to content

Load remote file in extension#112

Merged
quoid merged 2 commits into
quoid:v3.1.0from
lucka-me:load-remote-file-in-extension
Apr 11, 2021
Merged

Load remote file in extension#112
quoid merged 2 commits into
quoid:v3.1.0from
lucka-me:load-remote-file-in-extension

Conversation

@lucka-me

@lucka-me lucka-me commented Apr 10, 2021

Copy link
Copy Markdown
Contributor

Hello,

First of all, thank you for developing such a useful extension!

I noticed that the Add Remote and Update always fail with "updateURL unreachable", after some experiments I found it's because of the CORS policy: UserScripts loads remote files by JavaScript in the extension page, the origin is something like safari-extension://xxx-xxx-xxx, which is (usually?) not allowed by Access-Control-Allow-Origin, therefore the fetch operation is denied by Safari.

I changed it to load remote files in extension (Swift part) instead, and it works fine so far but still with some limitations:

  • The URL must be secure (HTTPS)
  • I'm not sure how to cancel the task properly, so I hide the button temporarily

I'm new to Swift, and not sure whether all my code works fine or not. Please let me know if there is anything needs to be fixed.

Sincerely.

@quoid

quoid commented Apr 10, 2021

Copy link
Copy Markdown
Owner

@lucka-me

lucka-me commented Apr 10, 2021

Copy link
Copy Markdown
Contributor Author

@quoid

I did another experiments just now, and found that the Access-Control-Allow-Origin is not set in the headers of the failing scripts, so I think the Fetch API will be denied if Access-Control-Allow-Origin is not set or does not include the safari-extension://xxx-xxx-xxx.

Here are some denied examples:

  • https://iitc.modos189.ru/build/release/total-conversion-build.user.js
  • https://brainstorming.azurewebsites.net/OPR_brainStorming/OPR_brainStroming.user.js

@quoid

quoid commented Apr 10, 2021

Copy link
Copy Markdown
Owner

@lucka-me Thank you for the reply

It's been my understanding that having no Access-Control-Allow-Origin policy means no cross origins are allowed. The lack the this policy and the subsequent failure makes sense (if my understanding is correct) and I can verify that those urls fail for me too.

If a website admin has a resource shared online and a restrictive cross origin policy (either explicit or by the lack of a policy), would the method in this PR fail to respect that policy?

I am not sure how I feel about circumventing the header policy.

This was a consideration when I originally, and somewhat reluctantly enabled the feature. It's possible that the current implementation is too restrictive or I expect too much from Access-Control-Allow-Origin and admins. Further, the method I use to get required code is similar to the method in the PR, perhaps the point is moot.

@lucka-me

Copy link
Copy Markdown
Contributor Author

@quoid

I'm not sure why they don't set the Access-Control-Allow-Origin, here is my guess:

I investigated the Tampermonkey in Chrome, and no network activity was logged in the Dev Tools when updating a script in the extension's manager page, so I guess it load scripts from the extension and there won't be any CORS limitation. If other user script managers also do in the same way, some website admins may not notice the Access-Control-Allow-Origin because the managers they use work fine without it being set.

And here is maybe another perspective: The user scripts are downloaded and executed in different places (or origins?): they are downloaded in the manager page, but executed in the @include page. So the cross origin policy should be ignored by the manager...?

As for the @required tag, I used to think they are loaded when injecting the user scripts like await addScriptTagAndLoad(requiredURL) and TIL they're preloaded when add the script...

@quoid

quoid commented Apr 10, 2021

Copy link
Copy Markdown
Owner

@lucka-me

I think your implementation is an improvement so I will roll it into a future update, hopefully the next one. I will investigate request cancellations as well.

Thanks for bringing this to my attention, and I really appreciate the PR.

@quoid quoid changed the base branch from master to v3.1.0 April 11, 2021 17:19
@quoid quoid merged commit b38196d into quoid:v3.1.0 Apr 11, 2021
quoid added a commit that referenced this pull request Apr 11, 2021
@quoid

quoid commented Apr 11, 2021

Copy link
Copy Markdown
Owner

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants