NEW260676
Manifest v3 — fetch with credentials should include Cookies associated with host_permissions 
https://bugs.webkit.org/show_bug.cgi?id=260676
Summary Manifest v3 — fetch with credentials should include Cookies associated with h...
Gabriel Aubut-Lussier
Reported 2023-08-24 14:56:54 PDT
Created attachment 467423 [details] Sample web extension Safari is the only browser that doesn't include Cookies when a browser extension uses `fetch("https://example.com", {credentials: "include"});` when the Cookies have the attribute SameSite=Lax/Strict. In order to reproduce the issue, with the attached Xcodeproject, perform the following steps : 1- Build the extension 2- Activate it in Safari 3- The extension automatically creates 3 cookies named None, Lax and Strict with the corresponding SameSite attribute values and it automatically performs a fetch from the background script, and also opens up a tab on https://echo-http-requests.appspot.com/echo 4- Confirm that the output of https://echo-http-requests.appspot.com/echo in the opened tab includes the 3 cookies 5- Confirm that the output in the background script's console logs says Cookie: undefined Expected behavior : The background script's console logs says the same thing as the output in the tab https://echo-http-requests.appspot.com/echo
Attachments
Sample web extension (346.39 KB, application/zip)
2023-08-24 14:56 PDT, Gabriel Aubut-Lussier 		no flags
Details
cookie seen in web-inspector storage (32.55 KB, image/png)
2024-02-17 05:11 PST, Eric Slosser 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2023-08-24 14:57:16 PDT
<rdar://problem/114404587>
Gabriel Aubut-Lussier
Comment 2 2023-08-24 14:58:39 PDT
The reason I expect Cookies to be sent is to be able to perform authentified requests on a web service where the session id is stored in a HttpOnly, Secure and SameSite=Strict cookie. The WebExtension with the host_permissions for that domain should be able to perform authentified requests.
Gabriel Aubut-Lussier
Comment 3 2023-08-29 12:08:20 PDT
According to the Fetch specification (Living Standard), the credentials should be included with all requests when using the `credentials: "include"` option. https://fetch.spec.whatwg.org/#concept-request-credentials-mode > A request has an associated credentials mode, which is "omit", "same-origin", or "include". Unless stated otherwise, it is "same-origin". > "include" > Always includes credentials with this request, and always use any credentials sent back in the response.
Eric Slosser
Comment 4 2024-02-12 14:07:47 PST
I think this might be the issue that's affecting an in-house web extension that needs pass cookies created by GCP auth process that an internal site uses.
Eric Slosser
Comment 5 2024-02-12 14:11:52 PST
On 2nd look, I think not. The GCP process's Set-Cookie headers say 'SameSite=none', not 'Lax/Strict'.
Eric Slosser
Comment 6 2024-02-17 05:08:00 PST
In my case, the server is sending Set-Cookie headers with 'Same-Site: none, Secure, HttpOnly'. These cookies should be included in the request kicked off by my extension's fetch(), but they aren't. If I relax security, (menu Safari > Settings > Privacy, uncheck 'prevent cross-site tracking), the cookies are included. But I can't ask my extension's users to do that, of course.
Eric Slosser
Comment 7 2024-02-17 05:11:17 PST
Created attachment 469944 [details] cookie seen in web-inspector storage here's one of the GCP cookies I see after the auth process is done. this cookie isn't included in my fetch request unless i allow cross-site tracking. but this isn't a cross-site cookie, it should be allowed all the time.
Note You need to log in before you can comment on or make changes to this bug.