SameSite Cookies Deprecation

Manthan Mallikarjun

unread,

Dec 25, 2023, 7:21:10 PM12/25/23

to Chromium Extensions

I noticed that SameSite cookies are being deprecated early next year by chrome. How do y'all do auth? Right now I just set the cookie on my domain with sameSite set as `None`, then allow requests from the origin `chrome-extension://<ID>` however it seems like this will break. One thing I really liked about this method is that I could use "magic links" where I can send the user an email with a link and when they got to my api domain, set the cookie there and they'd be authenticated in my chrome extension

Seems like in general this wouldn't be possible starting January and the only idea I can think of is using chrome's storage to store the auth token.

Manthan Mallikarjun

unread,

Dec 25, 2023, 7:24:13 PM12/25/23

to Chromium Extensions, Manthan Mallikarjun

Can't edit my original message but here is an example: https://stackoverflow.com/a/64110492

Jackie Han

unread,

Dec 26, 2023, 1:44:07 AM12/26/23

to Manthan Mallikarjun, Chromium Extensions

According to the official guide https://developers.google.com/privacy-sandbox/3pcd

Storage Access API
Related Website Sets
Partitioned cookies

could be used to solve this problem depending on your authentication method. I haven't used it. You can try it.

On Tue, Dec 26, 2023 at 8:21 AM Manthan Mallikarjun <nah...@gmail.com> wrote:

I noticed that SameSite cookies are being deprecated early next year by chrome. How do y'all do auth? Right now I just set the cookie on my domain with sameSite set as `None`, then allow requests from the origin `chrome-extension://<ID>` however it seems like this will break. One thing I really liked about this method is that I could use "magic links" where I can send the user an email with a link and when they got to my api domain, set the cookie there and they'd be authenticated in my chrome extension

Seems like in general this wouldn't be possible starting January and the only idea I can think of is using chrome's storage to store the auth token.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/37354666-5be8-40f4-b4c1-1011e5a3f79dn%40chromium.org.

Manthan Mallikarjun

unread,

Dec 26, 2023, 2:42:35 AM12/26/23

to Chromium Extensions, Jackie Han, Chromium Extensions, Manthan Mallikarjun

Hmmm, so I looked a bit deeper and it seems like adding `host_permissions` should work. Any ideas if this is a good solution long term?

Jackie Han

unread,

Dec 26, 2023, 3:21:08 AM12/26/23

to Manthan Mallikarjun, Chromium Extensions

There are two documents said about this behavior:

https://developers.google.com/privacy-sandbox/3pcd/storage-partitioning#extension-apis

https://developer.chrome.com/docs/extensions/develop/concepts/storage-and-cookies#cookies

Reply all

Reply to author

Forward