> if you add your authentication server url to the manifest host permission, then cookies will be shared on both web app and extension.
I didn't write that. I've always thought that include server urls permits to make CORS request throught extension when the server normally not deal with other origin than its (or a set of origins decided by web admin).
Cookie instead are set on server request via a response header both I'm dealing with an extension or not.
Furthermore many server can be reached even if their ulrs have not been included in "host_permissions" section.
Apart from this spartan clarification, I will now try to better explain the use case I had raised.
Let's say I developed an extension that logs in to Pinterest
and fetches the first image from the Pinterest profile I logged in with.
I don't own Pinterest, so I cannot build 2 different
authentication methods.:-)
For simplicity, let's assume that the user and password have already been stored within the extension.
This image will then be shown in a window, tab or popup (the destination does not matter).
Before starting to write some code I spied a little behind the scenes to understand how Pinterestlogin credentials are transmitted and I discovered that this information is transmitted with a normal POST request to the server.
I take note of all the fields necessary for this kind of request and I mimic it down to the smallest details inside my extension.
I then went to take a look at the response that the Pinterest server returned to me in case the login phase failed and in case it was successful.
If I was successful, all I have to do is analyze the response that the server returned to me (the HTML document) and extract the image using the most common JS methods to select DOM elements.
I display the image in the popup and that's it.
So far I hope I have been clear.
Now, without my extension explicitly logging out after capturing the image, I go to write the Pinterest URL in the address bar (of the SAME browser where the extension was installed) and I notice that I am not being asked login credentials as I am already logged in!
I am logged in because the cookies that Pinterest asked the browser to save on the browser (via extension) are the same ones that will then be read by normal navigation (i.e. through the address bar) of the same browser.
So far I hope I have been clear.
Now I get to the crux of the matter which is my clearly offtopic question from the initial thread (by the way, I apologize to @Ronak Bhandari).
My question is very simple: is it possible to somehow isolate the cookies saved by the extension so that they are not then read by browsing outside the extension?
If I now opened another browser (i.e. Firefox) and tried to reach the Pinterestr page I would NOT find myself logged in as on the same browser where I operated with the aforementioned extension.
So is it possible or will it ever be possible and\or desirable to have a world of cookies extension separate from the world of cookies of other types of navigation?
It could also be seen as having a browser instance (extension) inside a browser instance (the client) and the two instances are well isolated (at least as far as cookies are concerned and only if\when the user or developer request for this behaviour).
A bit like injected content scripts can be isolated from the page's native JS code (default) or access what is called the "main world"