CODEWITHSUNDEEP
google-chrome-extensionxmlhttprequestcorscsrffetch-api
majackson
majackson

Reputation: 2963

Fetch API not sending session cookies when used inside a Chrome Extension

I'm trying to make a Chrome Extension which scrapes some details from Pull Requests on Github using the Fetch API, and then displays them elsewhere. I'm running into some problems when I try to use this with a non-public repository on Github. I believe this is related to CSRF protection, and the rules that govern Chrome extensions having access to session cookies.

I have the following in my extension's manifest.json:

"content_scripts": [{
    "matches": [
        "*://github.com/*/*/pulls"
    ],
    "js": ["script/underscore-1.8.3.min.js", "script/content.js"]
}],
"permissions": [
    "tabs",
    "activeTab",
    "*://github.com/*",
    "webNavigation"
]

But when I run the following from within my script/content.js:

fetch('/redacted/redacted/pull/4549', {credentials: 'same-origin'}).then((response) => {
    return response.text();
}).then((text) => {
    // do cool stuff
})

This produces a 404 response from Github. Inspecting this request with Chrome Inspector's network tab, I can see it is not sending my GitHub session header with the request.

If I make the very same request using the Javascript prompt in the Inspector, I can see a 200 response, and I can see that it is sending my session cookies.

My understanding was that specifying the Github domain in my manifest.json would mean my extension would have access to my session data in my content scripts, is this not correct? What should I be doing to make a valid request to this protected content?

Upvotes: 11

Views: 6190

Answers (3)

Adamovskiy
Adamovskiy

Reputation: 1583

  1. "permissions" in manifest may contain only known permission strings. In order to let it call GitHub, use "host_permissions" instead:
...
"permissions": [
    "tabs",
    "activeTab",
    "webNavigation"
],
"host_permissions: [
    "*://github.com/*",
]
  1. 'same-origin' is the default value for credentials property, it can be omitted. This value restricts sending cookies and authentication HTTP headers to domains other than the calling script origin. Chrome extension origin looks like chrome-extension://abcxyz.. and won't send even GitHub cookies to the GitHub. Instead you need credentials: 'include'. This is true for an extension that overrides a Chrome URL, not sure about others.

Upvotes: 0

Daiwei
Daiwei

Reputation: 43596

According to Chrome blog, to include cookies you need credentials: 'include' instead of credentials: 'same-origin'.

Upvotes: 9

adjuremods
adjuremods

Reputation: 2998

Specifying github in the permissions only gives access to the host, its there to limit damage if the extension/app is compromised by malware (source).

Its not indicated in the content script documentation that session data can be retrieved in content scripts, just their DOMs. I think it would be better if you use and incorporate the official Github API in the chrome extension project you're creating.

Upvotes: -3

Related Questions