See WWW::Scripter / WWW::Mechanize::Javascript and WWW::Mechanize::Firefox (written by me).

If you want something like WWW::Mechanize in Javascript, you're asking in the wrong place I guess...

Thanks for the answers. The reason I'm asking this in Perlmonks is because I'm not quite sure what I actually need/want in JavaScript.

We don't want users seeing the financial institution pages, we want to download the account statements in the background (but still using the client's browser). This has led me thinking into loading the banking pages in a hidden IFRAME, but yes, there's the same origin problem (I cannot peek into the DOM of the content of the IFRAME).

I just read up on cross-domain AJAX and JSONP, but this requires that the banking site returns JSON, which it does not.

We could setup a proxy on our servers, but this violates the requirement.

You might want to check out Selenium. It's designed for testing really, but it might well be a good fit for your requirements.

• http://seleniumhq.org/
• WWW::Selenium
• Test::WWW::Selenium

Thanks. I've also thought about Selenium and will keep it as an option. Although we might need to "mask" or "brand" the Selenium Firefox addon as something else to better convince our end users to install it on their browser. And of course there's the issue of other browsers.

I've had very good luck with iMacros. It's got multiple browser support (IE, Firefox, Chrome) and both free and commercial versions. The free version still has the scripting engine and can do pretty sophisticated interactions with web pages. It also lets you save results data and capture information.

You're going to run into a wall called cross site request forgery (xsrf). What your probably going to want to do is make a type of web proxy (something like this already exists though?) that takes the login, scrapes the page, takes more info and scrapes the page, and continues to repeat the process.

Either way, what you're asking about is a directed man in the middle attack. It might be completely legitimate because of the company policy of where your users work or some other law (I can't think of how or why and I doubt this is legitimate). But that should start you on enough resources to do what you want to do.

I can't think of a legitimate use for this, having a 3rd party BROWSER addon do automated logins on behalf of users to banks, means that it needs to store login/pass for users.... this is pretty much against most banking regulations AFAIK

and furthermore, since the entire session (not just the login) is likely to be https, you won't be able to scrape the gibberish. you can automate pressing buttons etc, but the https info sent from the server will not be intelligable, afaik.
the hardest line to type correctly is: stty erase ^H

Not necessarily, if the user/pass is stored by the browser addon in-memory for the current browsing session only. The user will then be slightly inconvenienced by having to enter a user/pass in the morning, but during the day as long as it does not close the browser, the browser addon can periodically login+logout on behalf of the user to check for new transactions.

Also, how is this different from browsers themselves saving login username/password for the user (by explicit consent from the user). Do banks in the US explicitly forbid this browser feature?