Cookie Sync

Sync cookies across browsers using GitHub Gist with E2E encryption (AES-GCM + PBKDF2-SHA256)

Skript installieren ?

Stellen Sie eine Frage, veröffentlichen Sie eine Bewertung oder melden Sie das Skript.

Autor: hxueh
Installationen heute: 1
Installationen gesamt: 1
Bewertungen: 1 0 0
Version: 0.0.16
Erstellt am: 18.01.2026
Letzte Aktualisierung: 19.01.2026
Größe: 71 KB
Lizenz: MIT
Wird angewandt auf: Alle Seiten

Cookie Sync

A secure cookie synchronization tool that uses GitHub Gist as storage with end-to-end AES-GCM encryption.

Author: hxueh
Version: 0.0.4
License: MIT

Features

🔐 End-to-End Encryption: AES-256-GCM encryption with PBKDF2-SHA256 key derivation (100,000 iterations)
🌐 Per-Domain Sync: Each domain's cookies are stored separately in the Gist
🍪 Selective Sync: Choose specific cookies or sync all for the current domain
📤 Manual Push/Pull: Full control over when to sync
🗑️ Remote Delete: Delete synced data for the current domain from GitHub Gist
🎨 Floating UI: Draggable, modern dark-themed interface
☁️ GitHub Gist Storage: Private gist with fine-grained token access

How Sync Works

This script uses per-domain synchronization with a metadata index:

Gist Structure

your-gist/
├── cookie-sync-metadata.json   (encrypted) - index of all synced domains
├── cookies_github.com.json     (encrypted) - github.com cookies
├── cookies_google.com.json     (encrypted) - google.com cookies
└── ...

Push Behavior

Get local syncKeys selection (cookie names)
If syncKeys is empty → push all cookies for the domain
If syncKeys has values → push only those cookies
Store both syncKeys and cookies in the remote file
Completely replaces the domain's file

Pull Behavior

Download the domain's file
Read syncKeys from remote file
If syncKeys is empty → apply all cookies in file
If syncKeys has values → apply only those cookies
Update local syncKeys selection to match remote

syncKeys Field

Stored in remote file, synced across browsers
Empty [] = all cookies are synced
Has values = only those cookie names are synced on pull

Installation

1. Install Tampermonkey

Install the Tampermonkey extension for your browser:

2. Create GitHub Fine-Grained Token

Go to GitHub → Settings → Developer settings → Personal access tokens → Fine-grained tokens
Click "Generate new token"
Configure:
- Token name: Cookie Sync
- Expiration: Choose your preferred duration
- Repository access: Select "Public Repositories (read-only)" or no specific repos needed
- Permissions → Account permissions → Gists: Set to Read and write
Click "Generate token"
Copy the token immediately (you won't see it again!)

3. Install the Userscript

Click on the Tampermonkey icon in your browser
Select "Create a new script"
Delete all default content
Copy and paste the entire content of cookie-sync.user.js
Press Ctrl+S (or Cmd+S on Mac) to save
The script will now run on all websites

Usage

Opening the Panel

Click the 🍪 cookie button in the bottom-right corner of any page
Or use Tampermonkey menu → Open Cookie Sync

Initial Setup

Open the Cookie Sync panel
Go to Settings tab
Enter your encryption password (remember this - it's required for decryption!)
Paste your GitHub Personal Access Token
Leave Gist ID empty (it will be auto-created on first push)
Click Save Settings

Syncing Cookies

Push (Upload) Cookies:

Navigate to the website whose cookies you want to sync (e.g., github.com)
Open Cookie Sync panel - you'll see the current domain displayed
Go to Cookies tab
Click Refresh Cookie List to see available cookies
Optional: Select specific cookie names (sync keys) to sync
- If none selected → all cookies will be synced
- If some selected → only those cookie names will be synced on pull
Go to Sync tab and click Push

Pull (Download) Cookies:

On another browser, install the script and configure with:
- Same password
- Same GitHub token (or a different token with access)
- Same Gist ID (copy from first browser)
Navigate to the same website (e.g., github.com)
Click Pull
- The sync keys stored in the remote file determine which cookies are applied
- Your local sync key selection updates to match the remote

Example Workflow:

Browser A (source):
1. Go to github.com
2. Select sync keys: ["logged_in", "user_session"]
3. Push → uploads those 2 cookies + syncKeys: ["logged_in", "user_session"]

Browser B (destination):
1. Go to github.com
2. Pull → reads syncKeys from remote, applies only logged_in and user_session
3. Local syncKeys selection now shows: ["logged_in", "user_session"]

Example with empty syncKeys:

Browser A:
1. Select no keys (leave all unchecked)
2. Push → uploads all cookies + syncKeys: []

Browser B:
1. Pull → syncKeys is empty, so all cookies are applied

Deleting Remote Data

Click "Delete Remote Data" to remove the cookie file from the Gist
This does not delete local cookies or settings

Security Architecture

┌─────────────────────────────────────────────────────────────┐
│                    Cookie Data (JSON)                        │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│  PBKDF2-SHA256 Key Derivation                               │
│  - Password + Random Salt (16 bytes)                        │
│  - 100,000 iterations                                       │
│  - Produces 256-bit AES key                                 │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│  AES-256-GCM Encryption                                     │
│  - Random IV (12 bytes)                                     │
│  - Authenticated encryption                                 │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│  Base64 Encoded Output: [Salt][IV][Ciphertext+AuthTag]      │
└─────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────┐
│  GitHub Gist (Private)                                      │
└─────────────────────────────────────────────────────────────┘

Data Format

Metadata File (`cookie-sync-metadata.json`)

{
  "domains": ["github.com", "google.com"],
  "lastUpdated": 1737312000000
}

Domain File (e.g., `cookies_github.com.json`)

{
  "timestamp": 1737312000000,
  "domain": "github.com",
  "syncKeys": ["logged_in", "user_session"],
  "cookies": {
    "logged_in": {
      "value": "yes",
      "domain": ".github.com",
      "path": "/",
      "secure": true,
      "httpOnly": true,
      "sameSite": "lax",
      "expirationDate": 1768848000
    },
    "user_session": {
      "value": "ABC123XYZ789...",
      "domain": ".github.com",
      "path": "/",
      "secure": true,
      "httpOnly": true,
      "sameSite": "lax",
      "expirationDate": 1768848000
    }
  }
}

Fields:

syncKeys: Array of cookie names to sync. Empty [] means sync all cookies in the file.
cookies: Key-value pairs where cookie name is the key.

Troubleshooting

"GitHub API error: 401"

Your token may have expired or be invalid
Generate a new fine-grained token with Gist permissions

"Encryption password not set"

Go to Settings tab and enter your password
Click Save Settings

Cookies not being set

Some cookies with httpOnly flag may have restrictions
Cross-domain cookies may be blocked by browser security policies
Check browser console for specific errors

GM_cookie not working

Ensure Tampermonkey has "Access your data for all websites" permission
Try updating Tampermonkey to the latest version

Keyboard Shortcuts (via Tampermonkey menu)

Open Cookie Sync: Opens the panel
Push Cookies: Quick push without opening panel
Pull Cookies: Quick pull without opening panel

Privacy & Security Notes

Password is stored locally in Tampermonkey's secure storage
GitHub token is stored locally - never transmitted except to GitHub API
All cookie data is encrypted before leaving your browser
Gist is private by default (but you control the token access)
No analytics or tracking - the script runs entirely client-side

Limitations

Maximum Gist file size: 10 MB (plenty for cookies)
Rate limits: GitHub API has rate limits (~5000 requests/hour with token)
Some httpOnly cookies may not be accessible depending on browser/extension permissions
Session cookies without expiration dates are synced but may behave differently

License

MIT License - Free to use and modify.

Version History

0.0.4: Performance & reliability improvements
- Lazy load UI (only created when opened)
- Shadow DOM for style isolation and CSP compatibility
- Modern Base64 encoding using Array.from()
- Toast notifications for quick Push/Pull via menu
0.0.1: Initial release with full encryption, GitHub Gist sync, and floating UI

Cookie Sync

Features

How Sync Works

Gist Structure

Push Behavior

Pull Behavior

syncKeys Field

Installation

1. Install Tampermonkey

2. Create GitHub Fine-Grained Token

3. Install the Userscript

Usage

Opening the Panel

Initial Setup

Syncing Cookies

Push (Upload) Cookies:

Pull (Download) Cookies:

Example Workflow:

Example with empty syncKeys:

Deleting Remote Data

Security Architecture

Data Format

Metadata File (cookie-sync-metadata.json)

Domain File (e.g., cookies_github.com.json)

Troubleshooting

"GitHub API error: 401"

"Encryption password not set"

Cookies not being set

GM_cookie not working

Keyboard Shortcuts (via Tampermonkey menu)

Privacy & Security Notes

Limitations

License

Version History

Metadata File (`cookie-sync-metadata.json`)

Domain File (e.g., `cookies_github.com.json`)