fix #2364: remove special chars from XHR cookie name

src/background/utils/preinject.js

@@ -2,7 +2,7 @@ import {
   getActiveTab, getScriptName, getScriptPrettyUrl, getUniqId, sendTabCmd
 } from '@/common';
 import {
-  __CODE, TL_AWAIT, UNWRAP,
+  __CODE, TL_AWAIT, UNWRAP, XHR_COOKIE_RE,
   BLACKLIST, HOMEPAGE_URL, KNOWN_INJECT_INTO, META_STR, METABLOCK_RE, NEWLINE_END_RE,
 } from '@/common/consts';
 import initCache from '@/common/cache';
@@ -30,6 +30,7 @@ let isApplied;
 let injectInto;
 let ffInject;
 let xhrInject = false; // must be initialized for proper comparison when toggling
+let xhrInjectKey;
 
 const sessionId = getUniqId();
 const API_HEADERS_RECEIVED = browser.webRequest.onHeadersReceived;
@@ -299,6 +300,7 @@ function toggleXhrInject(enable) {
   if (enable) enable = injectInto !== CONTENT;
   if (xhrInject === enable) return;
   xhrInject = enable;
+  xhrInjectKey ??= extensionRoot.match(XHR_COOKIE_RE)[1];
   cache.destroy();
   API_HEADERS_RECEIVED.removeListener(onHeadersReceived);
   if (enable) {
@@ -369,7 +371,7 @@ function prepareXhrBlob({ [kResponseHeaders]: responseHeaders, [kFrameId]: frame
   ]));
   responseHeaders.push({
     name: kSetCookie,
-    value: `"${process.env.INIT_FUNC_NAME}"=${blobUrl.split('/').pop()}; SameSite=Lax`,
+    value: `${xhrInjectKey}=${blobUrl.split('/').pop()}; SameSite=Lax`,
   });
   setTimeout(URL.revokeObjectURL, 60e3, blobUrl);
   return { [kResponseHeaders]: responseHeaders };

src/common/consts.js

@@ -54,3 +54,4 @@ export const ERR_BAD_PATTERN = 'Bad pattern:';
 export const VM_HOME = 'https://violentmonkey.github.io/';
 export const VM_DOCS_MATCHING = VM_HOME + 'api/matching/';
 export const FILE_GLOB_ALL = 'file://*/*';
+export const XHR_COOKIE_RE = /:\W+([-\w]+)/; // extracts ://id in Chrome, ://{id} in Firefox

src/injected/content/index.js

@@ -5,7 +5,7 @@ import './notifications';
 import './requests';
 import './tabs';
 import { sendCmd } from './util';
-import { isEmpty } from '../util';
+import { isEmpty, XHR_COOKIE_RE } from '../util';
 import { Run, finish } from './cmd-run';
 
 const { [IDS]: ids } = bridge;
@@ -91,12 +91,12 @@ async function getDataFF(viaMessaging) {
 
 function getXhrInjection() {
   try {
-    const quotedKey = `"${INIT_FUNC_NAME}"`;
+    const key = VM_UUID.match(XHR_COOKIE_RE)[1];
     // Accessing document.cookie may throw due to CSP sandbox
-    const cookieValue = document.cookie.split(`${quotedKey}=`)[1];
+    const cookieValue = document.cookie.split(`${key}=`)[1];
     const blobId = cookieValue && cookieValue.split(';', 1)[0];
     if (blobId) {
-      document.cookie = `${quotedKey}=0; max-age=0; SameSite=Lax`; // this removes our cookie
+      document.cookie = `${key}=0; max-age=0; SameSite=Lax`; // this removes our cookie
       const xhr = new XMLHttpRequest();
       const url = `blob:${VM_UUID}${blobId}`;
       xhr.open('get', url, false); // `false` = synchronous