The thing is that it works when script is on a page, that is normally fetched from the net, but when code lies in userscript, that is as a part of plugin, suddenly it forgets that there is Access-Control-Allow-Origin: * header and stops responding to cross domain requests.
Here is some code that illustrates this:
// ==UserScript==
// @include *nasa.gov*
// ==/UserScript==
var xhr = new window.XMLHttpRequest();
xhr.onreadystatechange = function () {
alert('state changed: ' + this.readyState + "\nstatus: " + this.status);
};
xhr.onload = function(){
alert('document loaded');
};
xhr.open('GET','http://apod.nasa.gov');
xhr.send(null);
I've chosen apod site since it has not got b&w of modern websites, so there is no need to filter events.
And in this state it works, ok but when I point this url to my server which accepts call from every site, it ignores allow-origin header...
Ok, is it a bug, or I'm doing something wrong here ? Maybe some option on request object to 'assure' it that it is ok to go there ?. I don't know like xhr.allowcrossdomainaccess = true or whatever ?
(You've already figured this out - but just to give this question a proper Answer..)
Injected scripts run in the page with (mostly) normal security privileges - same as page scripts do. Hence, you won't typically be able to do cross-domain requests from injected scripts.
Also see https://stackoverflow.com/a/9614760/163549 for CORS implementation status in Opera.