CODEWITHSUNDEEP
javascriptcookiesgoogle-chrome-extensionmanifest.jsonsamesite
jennyAOA
jennyAOA

Reputation: 11

Setting SameSite=none, secure in Chrome Extension

After chrome's recent 77.0 update, I begun to receive this warning on my chrome extension's background page.

A cookie associated with a cross-site resource at http://www.google.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I was able to return the extension to its previous working condition by setting SameSite by default cookies to 'enabled.' on chrome://flags

When this temporary, client side fix is disabled, and this code is executed,

console.log(rtLink)

rtLink comes back as undefined, when the client side fix is enabled, it executes correctly and displays back the url found from the google search

//console.log("Background.js is running");

chrome.runtime.onMessage.addListener(
    function(request, sender, sendResponse) {
        fetch(request)
            .then(function(response) {

            return response.text()
            })
            .then(function(html) {
                var parser = new DOMParser();
                var doc = parser.parseFromString(html, "text/html");

                // Finds and sets the first search term URL to rtLink
                var rtLink = doc.getElementsByClassName("r")[0].children[0].href;
                console.log(rtLink);

My question is, how do I go about setting the SameSite=Lax(or None) and Secure on my fetch request/response, or perhaps I am asking the wrong question. If that's the case, what specifically do I have to change to in order to accommodate this cookie change?

Upvotes: 1

Views: 4543

Answers (1)

rowan_m
rowan_m

Reputation: 3050

For any of these warnings, if you are not responsible for the domain then you are not responsible for updating the cookies. In this case, Google is responsible for updating the relevant code that sets the SameSite attributes for cookies from google.com.

At this point, the warnings are purely informational and are not impacting functionality. Enforcing this behaviour in stable Chrome is not scheduled until M80, currently targeted for Feb 2020.

If you want cookies sent with your fetch request, you should ensure you're explicitly including them.

chrome.runtime.onMessage.addListener(
    function(request, sender, sendResponse) {
        fetch(request, { credentials: 'include' })
            .then(function(response) { // snip

Upvotes: 1

Related Questions