Chrome extension and partitioned cookies

[wong2]

Hi, I'd like to have clarifications on how partitioned cookies will affect chrome extensions.

For example, previously if my extension has host permission for domain.com, when sending request from my extension to domain.com, the cookies set on domain.com will be sent along. However, now if the cookies are set partitioned to domain.com, those cookies will not be sent anymore.

One example is Cloudflare cf_clearance cookie, I think they recently enabled cookie partitioning, which breaks my extension because lack of cf_clearance cookie requests will result in 403 error.

PS: my extension doesn't have `cookies` permission and I prefer not to request it because it's very sensitive to users.

[Oliver Dunk]

Hi,

Currently, there is no special logic to change how the partition key is calculated for extension schemes. As a result, the behavior where you aren't able to access cookies partitioned to domain.com from a chrome-extension:// page is expected.

There are some open issues to consider changing this, including https://issues.chromium.org/40922761. We already have some exceptions for SameSite behavior in extension pages that existed before the third-party cookie deprecation work started, so if we made that change, it should be sufficient for you to begin accessing the cookies again.

There's a limited amount of information here although it doesn't currently say much / anything about partitioning.

I understand the general use case for cf_clearance, but would you be able to share more about the reason for accessing it in an extension? I'm continuing to pass feedback about different situations like this to the team, with the hope of making some changes in the future, so any compelling reasons I can share for prioritising that work would be appreciated :)

Thanks,

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/24c981be-3899-40dd-9482-1b869c0c9497n%40chromium.org.

[wong2]

In our use case, the extension need to call the api of some web app on behalf of the user, but they're protected with Cloudflare, that's why we need to pass cf_clearance cookie for it to work.

I really look forward for this be solved, I think it'll break many extensions and it hasn't got enough notice right now.