Bug 260676

Summary: Manifest v3 — fetch with credentials should include Cookies associated with host_permissions
Product: WebKit Reporter: Gabriel Aubut-Lussier <gaubut>
Component: WebKit ExtensionsAssignee: Nobody <webkit-unassigned>
Status: NEW ---    
Severity: Normal CC: eric.slosser, timothy, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: Safari 16   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Sample web extension
none
cookie seen in web-inspector storage none

Description Gabriel Aubut-Lussier 2023-08-24 14:56:54 PDT 
Created attachment 467423 [details]
Sample web extension

Safari is the only browser that doesn't include Cookies when a browser extension uses `fetch("https://example.com", {credentials: "include"});` when the Cookies have the attribute SameSite=Lax/Strict.

In order to reproduce the issue, with the attached Xcodeproject, perform the following steps :
1- Build the extension
2- Activate it in Safari
3- The extension automatically creates 3 cookies named None, Lax and Strict with the corresponding SameSite attribute values and it automatically performs a fetch from the background script, and also opens up a tab on https://echo-http-requests.appspot.com/echo
4- Confirm that the output of https://echo-http-requests.appspot.com/echo in the opened tab includes the 3 cookies
5- Confirm that the output in the background script's console logs says Cookie: undefined

Expected behavior : The background script's console logs says the same thing as the output in the tab https://echo-http-requests.appspot.com/echo
Comment 1 Radar WebKit Bug Importer 2023-08-24 14:57:16 PDT 
<rdar://problem/114404587>
Comment 2 Gabriel Aubut-Lussier 2023-08-24 14:58:39 PDT 
The reason I expect Cookies to be sent is to be able to perform authentified requests on a web service where the session id is stored in a HttpOnly, Secure and SameSite=Strict cookie. The WebExtension with the host_permissions for that domain should be able to perform authentified requests.
Comment 3 Gabriel Aubut-Lussier 2023-08-29 12:08:20 PDT 
According to the Fetch specification (Living Standard), the credentials should be included with all requests when using the `credentials: "include"` option.

https://fetch.spec.whatwg.org/#concept-request-credentials-mode

> A request has an associated credentials mode, which is "omit", "same-origin", or "include". Unless stated otherwise, it is "same-origin". 
> "include" 
>    Always includes credentials with this request, and always use any credentials sent back in the response.
Comment 4 Eric Slosser 2024-02-12 14:07:47 PST 
I think this might be the issue that's affecting an in-house web extension that needs pass cookies created by GCP auth process that an internal site uses.
Comment 5 Eric Slosser 2024-02-12 14:11:52 PST 
On 2nd look, I think not. The GCP process's Set-Cookie headers say 'SameSite=none', not 'Lax/Strict'.
Comment 6 Eric Slosser 2024-02-17 05:08:00 PST 
In my case, the server is sending Set-Cookie headers with 'Same-Site: none, Secure, HttpOnly'.

These cookies should be included in the request kicked off by my extension's fetch(), but they aren't.

If I relax security, (menu Safari > Settings > Privacy, uncheck 'prevent cross-site tracking), the cookies are included. But I can't ask my extension's users to do that, of course.
Comment 7 Eric Slosser 2024-02-17 05:11:17 PST 
Created attachment 469944 [details]
cookie seen in web-inspector storage

here's one of the GCP cookies I see after the auth process is done. this cookie isn't included in my fetch request unless i allow cross-site tracking. but this isn't a cross-site cookie, it should be allowed all the time.