0

When the user logs through my website (running on localhost:3000), my server (running on localhost:8080) sends back a session cookie and this cookie keeps the user logged in.

app.use(cookieSession({
    name: "my-session",
    secret: process.env.SESSION_COOKIE_SECRET,
    maxAge: 24 * 60 * 60 * 1000,
}))

The website has an accompanying Chrome extension and I want to use the same session cookie to authenticate the user, so they don't have to login in 2 different places.

I can get a handle to that cookie inside my Chrome extension:

chrome.cookies.get({"url": "http://localhost:3000", "name": "my-session"}, cookie => {
    console.log("found cookie: " + cookie.value);
    const response = await fetch(
    'http://localhost:8080/users',
    {
      method: "GET",
      credentials: 'include',
    }
  )
})

The cookie was found but it is not sent to my server when the extension makes the request.

This is inside the background script, so I have no document to attach the cookie to. However, I tried setting document.cookie = cookie (and cookie.value) in the popup script and do the same request from there, but the cookie was still missing from the request.

How can I send my website's cookie through my Chrome extension, preferably from the background script?

Florian Walther
  • 6,237
  • 5
  • 46
  • 104
  • You can use webRequest to set `cookie` and `set-cookie` headers manually [like Violentmonkey does](https://github.com/violentmonkey/violentmonkey/commit/18fe83d7fd89ed2a80ae1cf27ef81f490ba5e59e). – wOxxOm Feb 21 '22 at 21:04
  • @wOxxOm Thank you, this looks like what I need. Is there a simpler example? I have no clue what is going on in that snippet. – Florian Walther Feb 21 '22 at 21:09
  • @wOxxOm Thank you! Is this the way to go (manually adding the cookie to the request) or is there also another way (so that `credentials : include` would suffice)? – Florian Walther Feb 22 '22 at 09:13
  • Turns out, `blocking` `onBeforeSendHeaders` doesn't work anymore in Manifest V3 so that's not an option. – Florian Walther Feb 22 '22 at 09:33
  • @wOxxOm I added the host permission for my web server (before I only had host permission for my website) to the manifest and now it seems to send the cookie automatically (with `credential='include'`). Does this make sense? – Florian Walther Feb 22 '22 at 13:16
  • I misunderstood the problem. My comments above were about a separate storage for cookies. Adding the permission makes this site kinda same-origin for your extension so it reuses the cookies. – wOxxOm Feb 22 '22 at 13:18
  • @wOxxOm Perfects, that's what I needed! I guess my lack of understanding of cookies made my question confusing. Your comments under similar SO questions helped me find the right direction. If you want to post your comment as an answer I would go ahead and accept it. I am sure it will help some people like me because this was actually not obvious. – Florian Walther Feb 22 '22 at 13:21
  • Now that we know the solution I feel like there must be an existing answer for such a basic feature. – wOxxOm Feb 22 '22 at 14:07
  • @wOxxOm I searched through Google for hours and I eventually got it to work by chance. If it is somewhere explained in simple terms, I didn't find it. Part of the reason could be that manifest V3 and the `host_permissions` field is relatively new. – Florian Walther Feb 22 '22 at 14:28
  • You solved it, you post it :-) – wOxxOm Feb 22 '22 at 15:54
  • @wOxxOm If my extension can use my website's auth cookie just like this, what's keeping other extensions from abusing this to access my server via this user account? Is the `host_permissions` entry the only security measure? – Florian Walther Feb 22 '22 at 22:53
  • 1
    Any extension can access it, of course. There's no easy solution but you can try to lock you server to the extension's id by using `post` method in the extension so its origin will be sent to the server where you'll check it. Still, another extension not from a web store may impersonate your id if the user installs it locally in unpacked mode using the `key` from your published manifest.json. – wOxxOm Feb 22 '22 at 23:24
  • @wOxxOm Thank you. I just wanted to make sure that I'm not missing something in my implementation. I guess the `host_permissions` entry will show the user some kind of warning that this extension can access the data of this website in this way. – Florian Walther Feb 23 '22 at 09:25

0 Answers0