The chrome.cookies API now has support for SameSite=None

[chl...@chromium.org]

Hello developers,

The chrome.cookies API now has support for the SameSite=None attribute, which explicitly marks a cookie as available in a third-party context. To read more about the SameSite attribute and SameSite=None, please see this post on web.dev.

To set a cookie with SameSite=None, set the optional sameSite property to "no_restriction" when calling chrome.cookies.set. As before, to set a SameSite=Lax or SameSite=Strict cookie, you can set the sameSite property to "lax" or "strict", respectively. If left out, the optional sameSite property defaults to "unspecified", which corresponds to setting a cookie without specifying a SameSite attribute.(*) Best practice is always to be explicit in stating the SameSite attribute so your intent is clear.

Support for SameSite=None is now available on M76 canary and will soon be available on dev channel.

(*) The previous default setting was called "no_restriction", which was confusingly named because it actually set a cookie without specifying a SameSite attribute. Now the default has been renamed "unspecified" because it does not specify a SameSite attribute, and the "no_restriction" setting now explicitly states the intention for an unrestricted cookie with SameSite=None.

[kurtextrem]

Are there any restrictions for chrome.cookies.get and or for chrome.webRequest?

While testing #same-site-by-default-cookies & #cookies-without-same-site-must-be-secure, it seemed like the Cookie header went missing from the chrome.webRequest.onBeforeSendHeaders details (extraHeaders set). When I turn off the flags, it works again.

[Lily Chen]

There should be no changes to chrome.cookies.get or to chrome.webRequest.

Are the cookies you are expecting default/unspecified, or no_restriction? If they are no_restriction, they must also be Secure or they will be ignored and not sent (if #cookies-without-same-site-must-be-secure is enabled). Maybe that is why you're not getting the expected cookies. Alternatively, try turning off #cookies-without-same-site-must-be-secure, or setting the Secure attribute on the cookie if you haven't already done so.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5dd25258-716f-4551-80e1-2ca5d462e602%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

[kurtextrem]

The cookies are "Secure", SameSite unspecified. I send a fetch request with the options: `credentials: "include", mode: "cors"`.

If I read correctly, does this imply when turning on both flags/one of the flags, I must set SameSite to all cookies, I want to have in the request, using my extension?

Am Mittwoch, 8. Mai 2019 16:50:00 UTC+2 schrieb Lily Chen:

There should be no changes to chrome.cookies.get or to chrome.webRequest.

Are the cookies you are expecting default/unspecified, or no_restriction? If they are no_restriction, they must also be Secure or they will be ignored and not sent (if #cookies-without-same-site-must-be-secure is enabled). Maybe that is why you're not getting the expected cookies. Alternatively, try turning off #cookies-without-same-site-must-be-secure, or setting the Secure attribute on the cookie if you haven't already done so.

From: kurtextrem <kurte...@gmail.com>
Date: Wed, May 8, 2019 at 10:41 AM
To: Chromium Extensions
Cc: <mk...@chromium.org>, <karan...@chromium.org>

Are there any restrictions for chrome.cookies.get and or for chrome.webRequest?

While testing #same-site-by-default-cookies & #cookies-without-same-site-must-be-secure, it seemed like the Cookie header went missing from the chrome.webRequest.onBeforeSendHeaders details (extraHeaders set). When I turn off the flags, it works again.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extensions+unsub...@chromium.org.

[Lily Chen]

If I read correctly, does this imply when turning on both flags/one of the flags, I must set SameSite to all cookies, I want to have in the request, using my extension?

No, this should not be the case. Leaving SameSite unspecified (defaulting to Lax) should work, as should SameSite=None (in conjunction with Secure if you have the second flag turned on).

The behavior you describe seems unexpected and may be a bug. Could you please file a bug report at bugs.chromium.org with the steps to reproduce, and attach the components Internals>Network>Cookies and Platform>Extensions>API? Thanks!

From: kurtextrem <kurte...@gmail.com>
Date: Thu, May 9, 2019 at 2:43 AM
To: Chromium Extensions
Cc: <kurte...@gmail.com>, <mk...@chromium.org>, <karan...@chromium.org>

The cookies are "Secure", SameSite unspecified. I send a fetch request with the options: `credentials: "include", mode: "cors"`.

If I read correctly, does this imply when turning on both flags/one of the flags, I must set SameSite to all cookies, I want to have in the request, using my extension?

Am Mittwoch, 8. Mai 2019 16:50:00 UTC+2 schrieb Lily Chen:

There should be no changes to chrome.cookies.get or to chrome.webRequest.

Are the cookies you are expecting default/unspecified, or no_restriction? If they are no_restriction, they must also be Secure or they will be ignored and not sent (if #cookies-without-same-site-must-be-secure is enabled). Maybe that is why you're not getting the expected cookies. Alternatively, try turning off #cookies-without-same-site-must-be-secure, or setting the Secure attribute on the cookie if you haven't already done so.

From: kurtextrem <kurte...@gmail.com>
Date: Wed, May 8, 2019 at 10:41 AM
To: Chromium Extensions
Cc: <mk...@chromium.org>, <karan...@chromium.org>

Are there any restrictions for chrome.cookies.get and or for chrome.webRequest?

While testing #same-site-by-default-cookies & #cookies-without-same-site-must-be-secure, it seemed like the Cookie header went missing from the chrome.webRequest.onBeforeSendHeaders details (extraHeaders set). When I turn off the flags, it works again.

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/5dd25258-716f-4551-80e1-2ca5d462e602%40chromium.org.
For more options, visit https://groups.google.com/a/chromium.org/d/optout.

--

You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To post to this group, send email to chromium-...@chromium.org.
Visit this group at https://groups.google.com/a/chromium.org/group/chromium-extensions/.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/29ca0d15-8de2-4a0d-b815-22339c38f006%40chromium.org.