4

I am trying to create a Safari Web Extension that leverages a web service where authentication is required. My goal is to reproduce what is already working in both Chrome and Firefox, meaning I should be able to use the Fetch API to send requests to my domain, and the session Cookies which have the HttpOnly, Secure and SameSite=Strict attributes should be sent along.

According to the MDN documentation, it should be enough that the manifest.json file has the following keys : host_permissions: ["mydomain.com"] and permissions: ["cookies"].

Host permissions are specified as match patterns, and each pattern identifies a group of URLs for which the extension is requesting extra privileges. […]

The extra privileges include:

  • XMLHttpRequest and fetch access to those origins without cross-origin restrictions (even for requests made from content scripts)
  • […]
  • the ability to access cookies for that host using the cookies API, as long as the "cookies" API permission is also included.

Still, Safari won't include any Cookies at all when submitting requests. Toggling off the user preference Privacy > Prevent multidomain tracking opens up the SameSite=None Cookies, but not the others. I can't find a way around these limitations as I can't simply whitelist the extension's domain in CORS headers as it is being randomized by Safari.

Does anyone know of a way to send Cookie-authentified requests from a Safari Web Extension?

Extra notes :

  • All Cookies are sent along when creating a WebSocket connection in the same context, unlike the Fetch API.
  • Cookies without the HttpOnly attribute can be successfully queried by a WebExtension using the browser.cookies API with the aforementioned manifest.json keys.
Improve this question
4
Load 2 more related questions Show fewer related questions

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.