Chrome extension style cookie handling?

BrianSierakowski · November 20, 2017, 10:35pm

Hey there,

Now that Quantum is out I’m scratching our old Firefox add on in favor of a web extension, and as a starting point we’re porting over our Chrome extension. Our current Chrome extension behaves as a self contained client side app, down to login creating a session cookie (and some other values) which we store.

When I attempt to authenticate with the extension in firefox, the set-cookie headers are ignored and the next request the user makes is considered unauthenticated—is that the expected behavior, or are there some headers that I have configured incorrectly that’s causing those set-cookie responses to be ignored?

My thought for a workaround would be to listen to the webrequests that the extension makes and use the cookies API to set the cookies that we hear, but I wanted to double check to make sure I’m not missing something since the default web-like behavior of saving the set-cookie values would help a lot in making our firefox extension behave like our chrome extension.

BrianSierakowski · November 21, 2017, 3:52pm

One additional note: the behavior in chrome is that the session cookie is set in the browser, so you’ll not see the cookie if you right click on an extension and look in the application data there, but you will see it by viewing all cookies in the browser (like here: chrome://settings/cookies/detail?site=localhost&search=cookies)

BrianSierakowski · November 22, 2017, 3:39pm

Update: it looks like this might be permission related? I started going down the path of implementing our own cookie setting, and in the process of troubleshooting the onHeadersReceived callback I asked for the <all_urls> permission. When I went to debug the extension, I was authed!

I had previously asked for permissions to "*://localhost:3000/*" to get the extension loading in the first place, but it looks like I needed another url permission to have cookies set?

Can anyone explain why that might be? I’d rather not ask for the <all_urls> permission, but if that’s what it takes to get cookies set it’ll have to stay.

Thanks!

freaktechnik · November 22, 2017, 6:05pm

From what I remember you need the host permission for both the origin where the request was made in and the origin the request URI belongs to.

However I can not find any relevant information in the docs anymore.