0

We are working on Chrome extensions that

  1. reads cookies from a domain which was set without SameSite attribute
  2. writes cookies to a domain without SameSite attribute

We have added permissions to both the domains in manifest.json

We enabled the following flags in Chrome browser,

  • SameSite by default cookies
  • Enable removing SameSite=None cookies
  • Cookies without SameSite must be secure

Questions

  1. Even after enabling the flags, we are able to read the cookies that were set with following values from other domain. Is that expected and if so why??

    • without SameSite attribute
    • with SameSite=strict

  2. Say an extension sets cookies without SameSite attribute in a site with a domain X.com. What happens when the site (X.com) is

    • consumed via iframe by another extension
    • consumed via iframe by another site with domain Y.com. Will the cookie be rendered with the response in both the cases??

  3. Are requests from extensions considered as cross site request??

  4. How does cookies set by extensions in a domain behaves?? Is that similar to what happens when a web site from a different domain sets a cookie??

  5. Does extensions with permissions to a domain in manifest.json be able to read cookies from the other domain irrespective of the SameSite value??

Raja S R
  • 1
  • 1
  • Good questions, I'm also looking into this and it is far from clear. I came across this today which might help: https://stackoverflow.com/a/58706403/6089612 – Don't Panic Jan 06 '20 at 13:54
  • Thank you for the response. That thread seems to be discussing changes made in the older versions. I would like to know how extensions gets affected by the SameSite changes going to be released from chrome version 80. – Raja S R Jan 08 '20 at 17:41
  • The coming change is that cookies without SameSite will default to SameSite=Lax. According to that question/answer, Chrome 78 and later will send SameSite=Lax cookies. I think that is the answer to your Q1. – Don't Panic Jan 08 '20 at 17:47
  • Yes and extensions are subject to special rules with respect to SameSite cookies it seems. Refer https://groups.google.com/a/chromium.org/forum/m/#!msg/blink-dev/AknSSyQTGYs/-BKGGqnWCAAJ – Raja S R Jan 15 '20 at 00:59

1 Answers1

0

howdy i'm pretty sure this isn't going to work due to the way chrome extensions operate outside the cookie store. It won't be able to read/write those values..

quick feedback
  • 16
  • Thanks for the reply. Could you please elaborate more on this?? We were able to read cookies that were set without SameSite value from extension after enabling those flags. It was working without any warning. It would be helpful if you could tell us more on the behaviour you are talking about. – Raja S R Jan 05 '20 at 16:41
  • I'm not 100% clear on your usecase -- you should explain the business process or product or what a user gets out of the process. The extension you are describing could also be used to build an ad fraud extension that does shady things, so clarifying that is important. Google has a support doc @ https://developer.chrome.com/extensions/xhr about this and flags how to do it safely and some potential problems. Basically, some things "can be done" but then aren't safe & get removed from the extension store eventually. happy to try and clarify or provide details, best of luck. – quick feedback Jan 08 '20 at 02:55
  • We have extensions which reads few cookies from other domain which are not set with SameSite attribute. Also it sets few cookies without SameSite cookie. I would like to know how the changes related to SameSite that will be released from version 80 affects the behaviour of extensions. Also, we load websites via iframe. From version 80, will these cookies gets rendered in the browser?? – Raja S R Jan 08 '20 at 17:46