影子屋 (文章分类:fetch)https://blog.bgme.me/zh_cnContents © 2024 <a href="mailto:i@bgme.me">无影人</a> <a rel="license noopener nofollow" target="_blank" href="http://creativecommons.org/licenses/by-sa/4.0/" class="ui image" title="如无特别说明,本站文章均遵循 CC BY-SA 4.0 协议,转载请注明作者及出处。"> <img alt="Creative Commons Attribution-ShareAlike 4.0 International License" src="/license.png"> </a> Wed, 24 Apr 2024 12:02:12 GMTNikola (getnikola.com)http://blogs.law.harvard.edu/tech/rss浏览器 fetch, GM_xmlhttpRequest 以及 Forbidden headerhttps://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/无影人<p>今天阅读 <a class="reference external" href="https://blog.nest.moe/posts/write-a-package-for-both-browser-and-nodejs">《整一个同时用于浏览器和 Node.js 的模块》</a> 这篇博文时,看到其中关于浏览器 fetch api 获取请求头部分,心有所感,于是就有了本文。</p> <p>本文将说一说浏览器 fetch api 与 Forbidden header 的那些事情,在浏览器中可以设置并获取 Forbidden header 吗?</p> <!-- TEASER_END --> <p>一切开始之前,先看一看官方文档是怎么说的。</p> <ul class="simple"> <li><p><a class="reference external" href="https://developer.mozilla.org/en-US/docs/Web/API/fetch">fetch() global function</a></p></li> <li><p><a class="reference external" href="https://developer.mozilla.org/en-US/docs/Web/API/Headers">Headers</a></p></li> <li><p><a class="reference external" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie">Set-Cookie</a></p></li> <li><p><a class="reference external" href="https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name">Forbidden header name</a></p></li> <li><p><a class="reference external" href="https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_response_header_name">Forbidden response header name</a></p></li> </ul> <div class="admonition error docutils container"> <p>For security reasons, some headers can only be controlled by the user agent. These headers include the forbidden header names and forbidden response header names.</p> <p>出于安全考虑,某些头只能由用户代理控制。这些头信息包括 forbidden header names 和 forbidden response header names。</p> </div> <div class="admonition error docutils container"> <p>Warning: Browsers block frontend JavaScript code from accessing the Set-Cookie header, as required by the Fetch spec, which defines Set-Cookie as a forbidden response-header name that must be filtered out from any response exposed to frontend code.</p> <p>警告: 根据 Fetch 规范,Set-Cookie 是一个禁止的响应标头,对应的响应在被暴露给前端代码前,必须滤除这一响应标头,即浏览器会阻止前端 JavaScript 代码访问 Set-Cookie 标头。</p> </div> <hr class="docutils"> <p>文档告诉我们,在浏览器环境中,向请求设置 <a class="reference external" href="https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_header_name">Forbidden header</a> ,获取响应的 <a class="reference external" href="https://developer.mozilla.org/en-US/docs/Glossary/Forbidden_response_header_name">Forbidden response header</a> (<code class="docutils literal"><span class="pre">Set-Cookie</span></code>) 是无法做到的。</p> <p>真的是这样吗?我不信,我要自己试一试。</p> <div class="code"><pre class="code javascript"><a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-1" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-1" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-1"></a><span class="p">(</span><span class="k">async</span><span class="w"> </span><span class="p">()</span><span class="w"> </span><span class="p">=&gt;</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-2" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-2" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-2"></a><span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-3" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-3" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-3"></a><span class="w"> </span><span class="kd">const</span><span class="w"> </span><span class="nx">resp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">await</span><span class="w"> </span><span class="nx">fetch</span><span class="p">(</span><span class="s2">"https://httpbin.org/get"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-4" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-4" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-4"></a><span class="w"> </span><span class="nx">method</span><span class="o">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-5" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-5" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-5"></a><span class="w"> </span><span class="nx">headers</span><span class="o">:</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-6" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-6" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-6"></a><span class="w"> </span><span class="nx">Cookie</span><span class="o">:</span><span class="w"> </span><span class="s2">"test1234"</span><span class="p">,</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-7" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-7" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-7"></a><span class="w"> </span><span class="s2">"Sec-Fetch-Dest"</span><span class="o">:</span><span class="w"> </span><span class="s2">"document"</span><span class="p">,</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-8" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-8" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-8"></a><span class="w"> </span><span class="s2">"Sec-Fetch-Mode"</span><span class="o">:</span><span class="w"> </span><span class="s2">"navigate"</span><span class="p">,</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-9" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-9" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-9"></a><span class="w"> </span><span class="s2">"Sec-Fetch-Site"</span><span class="o">:</span><span class="w"> </span><span class="s2">"none"</span><span class="p">,</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-10" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-10" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-10"></a><span class="w"> </span><span class="nx">Test</span><span class="o">:</span><span class="w"> </span><span class="s2">"test1234"</span><span class="p">,</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-11" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-11" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-11"></a><span class="w"> </span><span class="p">},</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-12" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-12" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-12"></a><span class="w"> </span><span class="p">});</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-13" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-13" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-13"></a><span class="w"> </span><span class="kd">const</span><span class="w"> </span><span class="nx">resp_body</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">await</span><span class="w"> </span><span class="nx">resp</span><span class="p">.</span><span class="nx">json</span><span class="p">();</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-14" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-14" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-14"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">"https://httpbin.org/get"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-15" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-15" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-15"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">resp</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-16" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-16" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-16"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">([...</span><span class="nx">resp</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">entries</span><span class="p">()]);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-17" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-17" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-17"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">([...</span><span class="nx">resp</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">entries</span><span class="p">()].</span><span class="nx">map</span><span class="p">((</span><span class="nx">h</span><span class="p">)</span><span class="w"> </span><span class="p">=&gt;</span><span class="w"> </span><span class="nx">h</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="s2">": "</span><span class="p">)).</span><span class="nx">join</span><span class="p">(</span><span class="s2">"\n"</span><span class="p">));</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-18" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-18" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-18"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">resp_body</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-19" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-19" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-19"></a><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-20" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-20" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-20"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-21" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-21" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-21"></a><span class="w"> </span><span class="p">}</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-22" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-22" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-22"></a> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-23" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-23" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-23"></a><span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-24" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-24" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-24"></a><span class="w"> </span><span class="kd">const</span><span class="w"> </span><span class="nx">resp</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">await</span><span class="w"> </span><span class="nx">fetch</span><span class="p">(</span><span class="s2">"https://www.baidu.com/"</span><span class="p">,</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-25" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-25" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-25"></a><span class="w"> </span><span class="nx">method</span><span class="o">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-26" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-26" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-26"></a><span class="w"> </span><span class="p">});</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-27" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-27" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-27"></a><span class="w"> </span><span class="kd">const</span><span class="w"> </span><span class="nx">resp_body</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="k">await</span><span class="w"> </span><span class="nx">resp</span><span class="p">.</span><span class="nx">text</span><span class="p">();</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-28" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-28" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-28"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">"https://www.baidu.com/"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-29" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-29" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-29"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">resp</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-30" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-30" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-30"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">([...</span><span class="nx">resp</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">entries</span><span class="p">()]);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-31" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-31" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-31"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">([...</span><span class="nx">resp</span><span class="p">.</span><span class="nx">headers</span><span class="p">.</span><span class="nx">entries</span><span class="p">()].</span><span class="nx">map</span><span class="p">((</span><span class="nx">h</span><span class="p">)</span><span class="w"> </span><span class="p">=&gt;</span><span class="w"> </span><span class="nx">h</span><span class="p">.</span><span class="nx">join</span><span class="p">(</span><span class="s2">": "</span><span class="p">)).</span><span class="nx">join</span><span class="p">(</span><span class="s2">"\n"</span><span class="p">));</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-32" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-32" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-32"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">resp_body</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-33" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-33" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-33"></a><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-34" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-34" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-34"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-35" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-35" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-35"></a><span class="w"> </span><span class="p">}</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-36" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-36" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-36"></a> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-37" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-37" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-37"></a><span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-38" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-38" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-38"></a><span class="w"> </span><span class="kd">const</span><span class="w"> </span><span class="nx">xhr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ow">new</span><span class="w"> </span><span class="nx">XMLHttpRequest</span><span class="p">();</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-39" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-39" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-39"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="s2">"https://httpbin.org/get"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-40" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-40" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-40"></a> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-41" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-41" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-41"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">setRequestHeader</span><span class="p">(</span><span class="s2">"Cookie"</span><span class="p">,</span><span class="w"> </span><span class="s2">"test1234"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-42" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-42" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-42"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">setRequestHeader</span><span class="p">(</span><span class="s2">"Sec-Fetch-Dest"</span><span class="p">,</span><span class="w"> </span><span class="s2">"document"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-43" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-43" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-43"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">setRequestHeader</span><span class="p">(</span><span class="s2">"Sec-Fetch-Mode"</span><span class="p">,</span><span class="w"> </span><span class="s2">"navigate"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-44" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-44" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-44"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">setRequestHeader</span><span class="p">(</span><span class="s2">"Sec-Fetch-Site"</span><span class="p">,</span><span class="w"> </span><span class="s2">"none"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-45" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-45" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-45"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">setRequestHeader</span><span class="p">(</span><span class="s2">"Test"</span><span class="p">,</span><span class="w"> </span><span class="s2">"test1234"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-46" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-46" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-46"></a> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-47" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-47" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-47"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">responseType</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"json"</span><span class="p">;</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-48" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-48" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-48"></a> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-49" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-49" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-49"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="s2">"load"</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="nx">ev</span><span class="p">)</span><span class="w"> </span><span class="p">=&gt;</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-50" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-50" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-50"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">"https://httpbin.org/get"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-51" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-51" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-51"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">ev</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-52" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-52" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-52"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">xhr</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-53" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-53" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-53"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">xhr</span><span class="p">.</span><span class="nx">response</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-54" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-54" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-54"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">xhr</span><span class="p">.</span><span class="nx">getAllResponseHeaders</span><span class="p">());</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-55" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-55" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-55"></a><span class="w"> </span><span class="p">});</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-56" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-56" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-56"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-57" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-57" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-57"></a><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-58" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-58" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-58"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-59" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-59" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-59"></a><span class="w"> </span><span class="p">}</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-60" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-60" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-60"></a> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-61" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-61" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-61"></a><span class="w"> </span><span class="k">try</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-62" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-62" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-62"></a><span class="w"> </span><span class="kd">const</span><span class="w"> </span><span class="nx">xhr</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="ow">new</span><span class="w"> </span><span class="nx">XMLHttpRequest</span><span class="p">();</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-63" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-63" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-63"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">open</span><span class="p">(</span><span class="s2">"GET"</span><span class="p">,</span><span class="w"> </span><span class="s2">"https://www.baidu.com/"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-64" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-64" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-64"></a> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-65" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-65" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-65"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">responseType</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="s2">"text"</span><span class="p">;</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-66" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-66" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-66"></a> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-67" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-67" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-67"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">addEventListener</span><span class="p">(</span><span class="s2">"load"</span><span class="p">,</span><span class="w"> </span><span class="p">(</span><span class="nx">ev</span><span class="p">)</span><span class="w"> </span><span class="p">=&gt;</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-68" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-68" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-68"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">"https://www.baidu.com/"</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-69" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-69" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-69"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">ev</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-70" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-70" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-70"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">xhr</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-71" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-71" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-71"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">xhr</span><span class="p">.</span><span class="nx">response</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-72" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-72" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-72"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">xhr</span><span class="p">.</span><span class="nx">getAllResponseHeaders</span><span class="p">());</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-73" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-73" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-73"></a><span class="w"> </span><span class="p">});</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-74" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-74" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-74"></a><span class="w"> </span><span class="nx">xhr</span><span class="p">.</span><span class="nx">send</span><span class="p">();</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-75" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-75" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-75"></a><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-76" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-76" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-76"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-77" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-77" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-77"></a><span class="w"> </span><span class="p">}</span> <a id="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-78" name="rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-78" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_dc6d2ddeeeff4a7b9b1126f95e998adf-78"></a><span class="p">})();</span> </pre></div> <p>到 <a class="reference external" href="https://www.baidu.com/">https://www.baidu.com/</a> 页面,运行上述代码,结果如下:</p> <figure class="align-center"> <a class="reference external image-reference" href="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/request.png"><img alt="/images/2023/browser-fetch-forbidden-header/request.png" src="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/request.png"></a> <figcaption> <p>Forbidden header</p> </figcaption> </figure> <figure class="align-center"> <a class="reference external image-reference" href="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/response.png"><img alt="/images/2023/browser-fetch-forbidden-header/response.png" src="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/response.png"></a> <figcaption> <p>Forbidden response header</p> </figcaption> </figure> <p>看来文档写的一点没错,确实无法设置与获取 Forbidden header 。</p> <p>当然如果仅仅是这样,还不至于让我水一篇博文。</p> <p>现在是见证奇迹的时刻了。</p> <hr class="docutils"> <p>打开 Violentmonkey API 文档,在 <a class="reference external" href="https://violentmonkey.github.io/api/gm/#gm_xmlhttprequest">GM_xmlhttpRequest</a> 一节中,有这样的内容。</p> <figure class="align-center"> <a class="reference external image-reference" href="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest.png"><img alt="/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest.png" src="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest.png"></a> <figcaption> <p>GM_xmlhttpRequest</p> </figcaption> </figure> <div class="code"><pre class="code text"><a id="rest_code_6d33f76dec674a4bbb59ed74e88b8760-1" name="rest_code_6d33f76dec674a4bbb59ed74e88b8760-1" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_6d33f76dec674a4bbb59ed74e88b8760-1"></a>Some special headers are also allowed: <a id="rest_code_6d33f76dec674a4bbb59ed74e88b8760-2" name="rest_code_6d33f76dec674a4bbb59ed74e88b8760-2" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_6d33f76dec674a4bbb59ed74e88b8760-2"></a> <a id="rest_code_6d33f76dec674a4bbb59ed74e88b8760-3" name="rest_code_6d33f76dec674a4bbb59ed74e88b8760-3" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_6d33f76dec674a4bbb59ed74e88b8760-3"></a>- 'Cookie' <a id="rest_code_6d33f76dec674a4bbb59ed74e88b8760-4" name="rest_code_6d33f76dec674a4bbb59ed74e88b8760-4" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_6d33f76dec674a4bbb59ed74e88b8760-4"></a>- 'Host' <a id="rest_code_6d33f76dec674a4bbb59ed74e88b8760-5" name="rest_code_6d33f76dec674a4bbb59ed74e88b8760-5" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_6d33f76dec674a4bbb59ed74e88b8760-5"></a>- 'Origin' <a id="rest_code_6d33f76dec674a4bbb59ed74e88b8760-6" name="rest_code_6d33f76dec674a4bbb59ed74e88b8760-6" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_6d33f76dec674a4bbb59ed74e88b8760-6"></a>- 'Referer' <a id="rest_code_6d33f76dec674a4bbb59ed74e88b8760-7" name="rest_code_6d33f76dec674a4bbb59ed74e88b8760-7" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_6d33f76dec674a4bbb59ed74e88b8760-7"></a>- 'User-Agent' </pre></div> <p>如果我没有记错的话,这些都是 Forbidden header 吧。怎么 <code class="docutils literal">GM_xmlhttpRequest</code> 就可以设置了?我不信。</p> <div class="code"><pre class="code javascript"><a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-1" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-1" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-1"></a><span class="c1">// ==UserScript==</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-2" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-2" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-2"></a><span class="c1">// @name GM_xmlhttpRequest Forbidden header Test</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-3" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-3" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-3"></a><span class="c1">// @namespace bgme.me</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-4" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-4" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-4"></a><span class="c1">// @match https://example.org/</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-5" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-5" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-5"></a><span class="c1">// @grant GM_xmlhttpRequest</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-6" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-6" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-6"></a><span class="c1">// @version 1.0</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-7" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-7" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-7"></a><span class="c1">// @author bgme</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-8" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-8" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-8"></a><span class="c1">// @connect *</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-9" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-9" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-9"></a><span class="c1">// @connect httpbin.org</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-10" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-10" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-10"></a><span class="c1">// @connect www.baidu.com</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-11" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-11" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-11"></a><span class="c1">// @description GM_xmlhttpRequest Forbidden header Test</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-12" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-12" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-12"></a><span class="c1">// ==/UserScript==</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-13" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-13" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-13"></a> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-14" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-14" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-14"></a><span class="k">try</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-15" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-15" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-15"></a><span class="w"> </span><span class="kd">const</span><span class="w"> </span><span class="nx">request</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">GM_xmlhttpRequest</span><span class="p">({</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-16" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-16" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-16"></a><span class="w"> </span><span class="nx">url</span><span class="o">:</span><span class="w"> </span><span class="s2">"https://httpbin.org/get"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-17" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-17" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-17"></a><span class="w"> </span><span class="nx">method</span><span class="o">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-18" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-18" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-18"></a><span class="w"> </span><span class="nx">headers</span><span class="o">:</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-19" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-19" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-19"></a><span class="w"> </span><span class="nx">Cookie</span><span class="o">:</span><span class="w"> </span><span class="s2">"test1234"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-20" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-20" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-20"></a><span class="w"> </span><span class="s2">"Sec-Fetch-Dest"</span><span class="o">:</span><span class="w"> </span><span class="s2">"document"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-21" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-21" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-21"></a><span class="w"> </span><span class="s2">"Sec-Fetch-Mode"</span><span class="o">:</span><span class="w"> </span><span class="s2">"navigate"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-22" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-22" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-22"></a><span class="w"> </span><span class="s2">"Sec-Fetch-Site"</span><span class="o">:</span><span class="w"> </span><span class="s2">"none"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-23" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-23" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-23"></a><span class="w"> </span><span class="nx">Test</span><span class="o">:</span><span class="w"> </span><span class="s2">"test1234"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-24" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-24" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-24"></a><span class="w"> </span><span class="p">},</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-25" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-25" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-25"></a><span class="w"> </span><span class="nx">responseType</span><span class="o">:</span><span class="w"> </span><span class="s2">"json"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-26" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-26" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-26"></a><span class="w"> </span><span class="nx">onload</span><span class="p">(</span><span class="nx">ev</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-27" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-27" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-27"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">"https://httpbin.org/get"</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-28" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-28" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-28"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">ev</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-29" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-29" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-29"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">ev</span><span class="p">.</span><span class="nx">response</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-30" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-30" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-30"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">ev</span><span class="p">.</span><span class="nx">responseHeaders</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-31" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-31" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-31"></a> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-32" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-32" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-32"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-33" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-33" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-33"></a><span class="w"> </span><span class="p">},</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-34" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-34" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-34"></a><span class="w"> </span><span class="p">});</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-35" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-35" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-35"></a><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-36" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-36" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-36"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-37" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-37" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-37"></a><span class="p">}</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-38" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-38" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-38"></a> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-39" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-39" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-39"></a><span class="k">try</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-40" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-40" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-40"></a><span class="w"> </span><span class="kd">const</span><span class="w"> </span><span class="nx">request</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">GM_xmlhttpRequest</span><span class="p">({</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-41" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-41" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-41"></a><span class="w"> </span><span class="nx">url</span><span class="o">:</span><span class="w"> </span><span class="s2">"https://www.baidu.com/"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-42" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-42" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-42"></a><span class="w"> </span><span class="nx">method</span><span class="o">:</span><span class="w"> </span><span class="s2">"GET"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-43" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-43" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-43"></a><span class="w"> </span><span class="nx">responseType</span><span class="o">:</span><span class="w"> </span><span class="s2">"text"</span><span class="p">,</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-44" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-44" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-44"></a><span class="w"> </span><span class="nx">onload</span><span class="p">(</span><span class="nx">ev</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-45" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-45" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-45"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="s2">"https://www.baidu.com/"</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-46" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-46" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-46"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">ev</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-47" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-47" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-47"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">ev</span><span class="p">.</span><span class="nx">response</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-48" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-48" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-48"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">ev</span><span class="p">.</span><span class="nx">responseHeaders</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-49" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-49" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-49"></a> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-50" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-50" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-50"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">log</span><span class="p">(</span><span class="nx">request</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-51" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-51" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-51"></a><span class="w"> </span><span class="p">},</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-52" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-52" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-52"></a><span class="w"> </span><span class="p">});</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-53" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-53" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-53"></a><span class="p">}</span><span class="w"> </span><span class="k">catch</span><span class="w"> </span><span class="p">(</span><span class="nx">error</span><span class="p">)</span><span class="w"> </span><span class="p">{</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-54" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-54" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-54"></a><span class="w"> </span><span class="nx">console</span><span class="p">.</span><span class="nx">error</span><span class="p">(</span><span class="nx">error</span><span class="p">);</span> <a id="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-55" name="rest_code_61ab469887de42b7afb7f1c0ef32ffe8-55" href="https://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/#rest_code_61ab469887de42b7afb7f1c0ef32ffe8-55"></a><span class="p">}</span> </pre></div> <p>打开 <a class="reference external" href="https://example.org/">https://example.org/</a> ,F12 打开 console。</p> <figure class="align-center"> <a class="reference external image-reference" href="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest_test_Violentmonkey.png"><img alt="/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest_test_Violentmonkey.png" src="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest_test_Violentmonkey.png"></a> <figcaption> <p>GM_xmlhttpRequest Forbidden header Test on Violentmonkey</p> </figcaption> </figure> <figure class="align-center"> <a class="reference external image-reference" href="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest_test_Tampermonkey.png"><img alt="/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest_test_Tampermonkey.png" src="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/GM_xmlhttpRequest_test_Tampermonkey.png"></a> <figcaption> <p>GM_xmlhttpRequest Forbidden header Test on Tampermonkey</p> </figcaption> </figure> <p>虽然不愿意相信,但事实摆在面前, <code class="docutils literal">GM_xmlhttpRequest</code> 确实突破了浏览器的 Forbidden header 限制。</p> <p>那么问题又来了,Violentmonkey、Tampermonkey 是怎么做到的?</p> <p>莫非是 <a class="reference external" href="https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Background_scripts">Background scripts</a> 里的 fetch API 有特殊的权限,可以像 Node 那样不受 Forbidden header 限制?</p> <p>将第一部分创建为 Background scripts,加载插件,打开插件调试 Console 。</p> <figure class="align-center"> <a class="reference external image-reference" href="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/Background_scripts_fetch.png"><img alt="/images/2023/browser-fetch-forbidden-header/Background_scripts_fetch.png" src="https://blog.bgme.me/images/2023/browser-fetch-forbidden-header/Background_scripts_fetch.png"></a> <figcaption> <p>fetch on Background scripts</p> </figcaption> </figure> <p>结果如图,很明显,Background scripts 中的 fetch API 也要受到 Forbidden header 的限制。</p> <p>翻看了一下 Violentmonkey 的源码(<a class="reference external" href="https://github.com/violentmonkey/violentmonkey/blob/5015a06f8ff1462a2139d8710dd02956c679ebb2/src/background/utils/requests.js">requests.js</a>、<a class="reference external" href="https://github.com/violentmonkey/violentmonkey/blob/5015a06f8ff1462a2139d8710dd02956c679ebb2/src/background/utils/requests-core.js">requests-core.js</a>),可以看出 Violentmonkey 通过 <a class="reference external" href="https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/webRequest">webRequest</a> API 突破了 Forbidden header 的限制。</p> <p>但有一个不幸的消息是 webRequest API 在 Manifest V3 中被 Google 干掉了,想要修改请求,就只能使用 <a class="reference external" href="https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/API/declarativeNetRequest">declarativeNetRequest</a> API 。 到了 Manifest V3 时代, GM_xmlhttpRequest 很可能就无法实现修改、读取 Forbidden header 的功能了。</p>browserfetchhttps://blog.bgme.me/posts/2023/browser-fetch-gm_xmlhttprequest-and-forbidden-header/Sat, 19 Aug 2023 15:58:38 GMT