Logged in on both a website and a Chrome extension

Question

We have a file sharing service, http://ge.tt, and a few extensions for Chrome. One of them which adds extra capabilities to Gmail.

In this extension we ask users to login to Ge.tt before they are able to use the extension. Since they are already logged in on Ge.tt it would be great that they didn't have to log in again, and it causes some users to misunderstand how it works.

What would be a good way to go around and tackle this problem? Does others have the same issue?

Answer 1

For example Grammarly extension can detect if you are logged in to the grammarly site

They are using this permission (and actually it is enabled on ALL sites, they can read even httpOnly cookies on any site)

N.B. don't know why they are listening for cookies, they could (as pointed by @alex-k ) just make a request to api.grammarly.com/is-authenticated

because I see they don't use same-site=strict or lax

this is a screenshot after I logged out and extension made request to log some action on their site, server set anonymous cookie to my browser

Answer 2

You can simply make an HTTP request from the extension to the user-only page to see if they are logged in. Something like ge.tt/my-profile-ping which returns 1 if user is logged in, 0 otherwise.

Extensions share the same cookies the browser does, so you just need to test if they are logged in and continue displaying logged-in-only data in your extension.

Also, don't forget to enable requests in your extension manifest for domain ge.tt, and www.ge.tt, and probably the https version also (if you haven't already)

Something like this in your manifest.json:

...
"permissions": [ "http://ge.tt/*", "https://ge.tt/*", "http://www.ge.tt/*", "https://www.ge.tt/*" ]
...