Summary: | Manifest v3 — fetch with credentials should include Cookies associated with host_permissions | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | WebKit | Reporter: | Gabriel Aubut-Lussier <gaubut> | ||||||
Component: | WebKit Extensions | Assignee: | Nobody <webkit-unassigned> | ||||||
Status: | NEW --- | ||||||||
Severity: | Normal | CC: | eric.slosser, timothy, webkit-bug-importer | ||||||
Priority: | P2 | Keywords: | InRadar | ||||||
Version: | Safari 16 | ||||||||
Hardware: | Unspecified | ||||||||
OS: | Unspecified | ||||||||
Attachments: |
|
Description
Gabriel Aubut-Lussier
2023-08-24 14:56:54 PDT
The reason I expect Cookies to be sent is to be able to perform authentified requests on a web service where the session id is stored in a HttpOnly, Secure and SameSite=Strict cookie. The WebExtension with the host_permissions for that domain should be able to perform authentified requests. According to the Fetch specification (Living Standard), the credentials should be included with all requests when using the `credentials: "include"` option. https://fetch.spec.whatwg.org/#concept-request-credentials-mode > A request has an associated credentials mode, which is "omit", "same-origin", or "include". Unless stated otherwise, it is "same-origin". > "include" > Always includes credentials with this request, and always use any credentials sent back in the response. I think this might be the issue that's affecting an in-house web extension that needs pass cookies created by GCP auth process that an internal site uses. On 2nd look, I think not. The GCP process's Set-Cookie headers say 'SameSite=none', not 'Lax/Strict'. In my case, the server is sending Set-Cookie headers with 'Same-Site: none, Secure, HttpOnly'. These cookies should be included in the request kicked off by my extension's fetch(), but they aren't. If I relax security, (menu Safari > Settings > Privacy, uncheck 'prevent cross-site tracking), the cookies are included. But I can't ask my extension's users to do that, of course. Created attachment 469944 [details]
cookie seen in web-inspector storage
here's one of the GCP cookies I see after the auth process is done. this cookie isn't included in my fetch request unless i allow cross-site tracking. but this isn't a cross-site cookie, it should be allowed all the time.
|