How to get all cookies using chrome.cookies.getAll from chrome extension?

7,944 views
Skip to first unread message

Felipe Forbeck

unread,
Oct 27, 2016, 5:28:42 PM10/27/16
to apps-dev

If I call chrome.cookies.getAll from chrome debug console with my extension enabled I get different cookies than the ones that I get when call the same function but from my extension code. Any idea why?

My chrome extension populates a login form and them hit submit. This call is fired from my main script called intercept.js.


Login call:

 chrome.tabs.executeScript(tabId, {file: 'login.js'}, callback);


Then, in the callback function I have a timeout call to wait for X seconds, assuming the login went fine:

setTimeout(getCookies, 10000);


The getCookies function looks like this:

chrome.cookies.getAll({}, function (cookies) {
            var a = [];
            log("@getCookies. Cookies found " +  cookies.length);
            cookies.forEach(function(cookie) {
                log("[COOKIE] => " + JSON.stringify(cookie));
                a.push({
                    name: cookie.name,
                    value: cookie.value,
                    domain: cookie.domain,
                    secure: cookie.secure,
                    path: cookie.path
                });
            });
            results[tabId].cookies = a;
        }
    );


The same call returns 2 different results. If I executed getCookies from my extension I have only this cookie:

{"domain":".mydomain.com","expirationDate":1509134405.49222,"hostOnly":false,"httpOnly":false,"name":"token_x","path":"/","sameSite":"no_restriction","secure":true,"session":false,"storeId":"0","value":"..."}


However, if I execute the same function via debug tools from chrome with my extension enabled, I see 3 cookies:

{"domain":".mydomain.com","expirationDate":1509134405.49222,"hostOnly":false,"httpOnly":false,"name":"token_x","path":"/","sameSite":"no_restriction","secure":true,"session":false,"storeId":"0","value":"..."}

{"domain":".mydomain.com","expirationDate":1480190782.506759,"hostOnly":false,"httpOnly":true,"name":"accesstoken","path":"/","sameSite":"no_restriction","secure":true,"session":false,"storeId":"0","value":"..."}

{"domain":".mydomain.com","expirationDate":1480190782.50701,"hostOnly":false,"httpOnly":true,"name":"refreshtoken","path":"/","sameSite":"no_restriction","secure":true,"session":false,"storeId":"0","value":"..."}


I thought it could be something related to permissions, but did not find anything related. I do have the tabs and cookies permissions enabled. Here is my manifest file:

  {
      "name": "DOM/LINK extractor",
      "version": "1.0",
      "manifest_version": 2,
      "description": "DOM/LINK extractor plugin",
      "minimum_chrome_version": "55",
      "permissions": [
        "webRequest",
        "webRequestBlocking",
        "tabs",
        "cookies",
        "browsingData",
        "storage",
        "processes",
        "<all_urls>"
      ],
      "background": {
        "page": "background.html"
      }
    }


The documentation says that I can call chrome.cookies.getAll from my extension code, but only in the background.html. My background.html loads the main script intercept.js `

<!doctype html>
<script src="intercept.js"></script>
<body></body>


Any idea why I am not able to see the same cookies for both calls?

Thank you!

Antony Sargent

unread,
Oct 27, 2016, 7:10:36 PM10/27/16
to Felipe Forbeck, Chromium-extensions
Hmm, I wonder if it has something to do with the httpOnly property (the extra ones have httpOnly set to true). What happens if you do the following?


function printCookies(msg) {
  return function() {
    console.log(msg);
    chrome.cookies.getAll({}, cookies => console.log(JSON.stringify(cookies));
  }
}

var callback = function() {
  setTimeout(printCookies("from callback:"), 10000);  
};
chrome.tabs.executeScript(tabId, {file: 'login.js'}, callback);
setTimeout(printCookies("not from callback:"), 10000);


and then also manually call:

printCookies("manual")();

from the devtools on the background page?

Do the cookies printed "from callback" and "not from callback" both agree?



[moving apps...@chromium.org to BCC, since that list is for discussing internal implementation details of apps APIs, and adding chromium-...@chromium.org to CC which is the right place to ask these sorts of questions]

Felipe Forbeck

unread,
Oct 28, 2016, 9:59:04 AM10/28/16
to apps-dev, felipe....@gmail.com, chromium-...@chromium.org
Hi, thanks for the inputs.

So, `Cookies NOT from callback` are empty.

`Cookies from callback` returned only that 1 which has httpOnly=false.

The printCookies("manual") returned all 3 cookies.

I believe the background script execution does not have the same permissions as we have when we are running chrome console.

I didn't notice the `httpOnly` flag and I believe this is the reason. Because httpOnly means that the cookie is accessible only by the server side.
So the scripts on client side won't be able to read them. It is to prevent XSS attacks. 

It might work with old chrome versions though, if the httpOnly was not supported yet,
but I can't downgrade the chrome version because only v55-dev allows me to use the tab.processes API for better tab management.

Thank you!!
Reply all
Reply to author
Forward
0 new messages