Created attachment 467423 [details] Sample web extension Safari is the only browser that doesn't include Cookies when a browser extension uses `fetch("https://example.com", {credentials: "include"});` when the Cookies have the attribute SameSite=Lax/Strict. In order to reproduce the issue, with the attached Xcodeproject, perform the following steps : 1- Build the extension 2- Activate it in Safari 3- The extension automatically creates 3 cookies named None, Lax and Strict with the corresponding SameSite attribute values and it automatically performs a fetch from the background script, and also opens up a tab on https://echo-http-requests.appspot.com/echo 4- Confirm that the output of https://echo-http-requests.appspot.com/echo in the opened tab includes the 3 cookies 5- Confirm that the output in the background script's console logs says Cookie: undefined Expected behavior : The background script's console logs says the same thing as the output in the tab https://echo-http-requests.appspot.com/echo
<rdar://problem/114404587>
The reason I expect Cookies to be sent is to be able to perform authentified requests on a web service where the session id is stored in a HttpOnly, Secure and SameSite=Strict cookie. The WebExtension with the host_permissions for that domain should be able to perform authentified requests.
According to the Fetch specification (Living Standard), the credentials should be included with all requests when using the `credentials: "include"` option. https://fetch.spec.whatwg.org/#concept-request-credentials-mode > A request has an associated credentials mode, which is "omit", "same-origin", or "include". Unless stated otherwise, it is "same-origin". > "include" > Always includes credentials with this request, and always use any credentials sent back in the response.
I think this might be the issue that's affecting an in-house web extension that needs pass cookies created by GCP auth process that an internal site uses.
On 2nd look, I think not. The GCP process's Set-Cookie headers say 'SameSite=none', not 'Lax/Strict'.
In my case, the server is sending Set-Cookie headers with 'Same-Site: none, Secure, HttpOnly'. These cookies should be included in the request kicked off by my extension's fetch(), but they aren't. If I relax security, (menu Safari > Settings > Privacy, uncheck 'prevent cross-site tracking), the cookies are included. But I can't ask my extension's users to do that, of course.
Created attachment 469944 [details] cookie seen in web-inspector storage here's one of the GCP cookies I see after the auth process is done. this cookie isn't included in my fetch request unless i allow cross-site tracking. but this isn't a cross-site cookie, it should be allowed all the time.
see also this SO post: https://stackoverflow.com/questions/76977996/how-can-a-safari-web-extension-perform-authenticated-requests