[SECURITY] GM_download bypasses @connect security rules and includes credentials/cookies for all domains. #2651
Description
Description
The GM_download function currently ignores the @connect metadata block defined in the userscript header. This allows a script to make requests to any arbitrary domain, even if it is not explicitly whitelisted. Furthermore, these requests are sent with the user's stored cookies for those domains, which poses a potential security risk.
Expected Behavior
GM_download should respect the @connect security policy, similar to how GM_xmlhttpRequest operates. If a domain is not listed in the @connect rules, the request should be blocked by the userscript manager.
Actual Behavior
The function bypasses all @connect checks. Even if @connect none is specified or if the domain is not in the whitelist, GM_download successfully initiates the download and includes the browser's session cookies in the request headers.
Steps to Reproduce
- Create a userscript with the following metadata:
// ==UserScript== // @name Security Test Script // @match https://example.com/ // @grant GM_download // ==/UserScript== // Attempting to download from a domain NOT in @connect const attacker=GM_download({ url: 'https://another-domain.com/delete-account', name: 'test.pdf' }); setTimeout(()=>{attacker.abort()},300);
- Run the script.
- Observe that the download starts despite
another-domain.comnot being listed in@connect. - Check the Network tab to confirm that cookies for
another-domain.comwere sent with the request. - Since the connection is lost immediately after the request is made, send a request to your desired destination with the cookie information.
Environment
- Browser: Chrome
- Userscript Manager: Tampermonkey
- Manager Version: 5.4.1
- OS: Linux