Is there a way to not send cookies when making an XMLHttpRequest on the same origin?

Question

I\'m working on an extension that parses the gmail rss feed for users. I allow the users to specify username/passwords if they don\'t want to stay signed-in. But this breaks

Answer 1

You can do that by using the chrome.cookies module. The idea is to get the current cookies, save them, remove them from the browser's cookie store, send your request, and finally restore them:

var cookies_temp = []; // where you put the cookies first
var my_cookie_store = []; // the cookies will be there during the request
var details = {/*your code*/}; // the first parameter for chrome.cookies.getAll()
var start_kidnapping = function(cookies) {
    cookies_temp = cookies.slice();
    kidnap_cookie();
};
var kidnap_cookie = function() {
    // This recursive function will store the cookies from cookies_temp to
    // my_cookie_store and then remove them from the browser's cookie store.
    if (cookies_temp.length == 0) { // when no more cookies, end recursion
        send_request();
    };
    else {
        var cookie = cookies_temp.pop();
        // We store url as a property since it is useful later.
        // You may want to change the scheme.
        cookie.url = "http://" + cookie.domain + cookie.path;
        my_cookie_store.push(cookie); // save it
        chrome.cookies.remove({url: cookie.url, name: cookie.name}, kidnap_cookie);
    };
};
var send_request = function() {
    // Send your request here. It can be asynchronous.
    for (var i = 0, i < my_cookie_store.length; i++){
        delete cookie.hostOnly; // these 2 properties are not part of the
        delete cookie.session;  // object required by chrome.cookies.set()
        // note that at this point, cookie is no longer a Cookie object
        chrome.cookies.set(my_cookie_store[i]); // restore cookie
    };
    my_cookie_store = []; // empty it for new adventures
};
chrome.cookies.getAll(details, start_kidnapping); // start

Alternatively, a simpler solution is to open an incognito window which will send the request, using the chrome.windows module, but this will prevent you from communicating with the rest of your extension. Note that you may have to change the incognito property of your manifest to split:

var incognito_window = {
    "url": "incognito.html",
    "focused": false, // do not bother user
    "incognito": true
}
chrome.windows.create(incognito_window);

Answer 2

As of Chrome 42, the fetch API allows Chrome extensions (and web applications in general) to perform cookie-less requests. HTML5 Rocks offers an introductory tutorial on using the fetch API.

Advanced documentation on fetch is quite sparse at the moment, but the API interface from the specification is a great starting point. The fetch algorithm described below the interface shows that requests generated by fetch have no credentials by default!

fetch('http://example.com/').then(function(response) {
    return response.text(); // <-- Promise<String>
}).then(function(responseText) {
    alert('Response body without cookies:\n' + responseText);
}).catch(function(error) {
    alert('Unexpected error: ' + error);
});

If you want truly anonymous requests, you could also disable the cache:

fetch('http://example.com/', {
    // credentials: 'omit', // this is the default value
    cache: 'no-store',
}).then(function(response) {
    // TODO: Handle the response.
    // https://fetch.spec.whatwg.org/#response-class
    // https://fetch.spec.whatwg.org/#body
});