Is this a security bug, or a feature request to change how CORS applies to extension contexts?

Not strictly a security bug, I choose the type since it's about a feature that's related to security :) Feel free to change type/component.

The primary goal would be tracking the discussion on the pros/cons of supporting CORS requests from extension contexts w.r.t same-site cookies, and make a final decision on the matter.

Cool, opening it up for discussion then.

rdevlin.cronin@: WDYT?

Marking as low-priority, as samesite cookies aren't widely used; we should make a decision here, though, as I hope they'll be more widely used in the future. :)

I have a website with same-site:lax set on JSESSIONID cookie. Next to that I have a Chrome extension (custom developer tool) that is doing AJAX request on the same site to visualize some information from the website that is being developed.

Each request on the website gets newly assigned JSESSIONID because AJAX request from the extension that automatically happens between two regular requests somehow "resets" the cookie.

I understand that (and why) extensions behave as "external" domains. But in such situation I'd expect that cookies will be isolated one from another. But it seems that the requests somehow affects the JSESSION cookie written by the main browser request on the web application.

Is there any source that would describe internals of the samesite implementation? Is there a way how to allow extension to access cookies protected by samesite attribute or do I need to skip samesite attribute of JSESSIONID in "developer" mode to enable this use-case?

Thank you.