chrome.webRequest cannot add Cookie header to HTML import fetch request on other domain
Reported by
rserte...@nuxeo.com,
Jan 17 2018
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Steps to reproduce the problem: I'm developing a feature in an extension that allows users to override some local resources with remote ones on a SaaS service requiring authenticated access. As we do not want to store or ask for user's credentials we rely on them being logged in when using the feature. So we just need to send cookies. To do so, we are using webRequest to redirect selected requests to the remote location when needed. This works fine, Cookies can be sent correctly on those ones and remote resources can then be loaded. To arrive at hte problem, we would need to fetch a remote resource (protected by auth with cookies) which contains HTML imports. This will fail as the cookie is not sent in fetch requests for HTML imports. What is the expected behavior? Chrome should let web extensions send cookies for HTML import fetch requests. What went wrong? The HTML import spec specifies that HTML imports should be fetched as CORS with same-origin mode. Meaning that it should not send credentials. Chrome seems to respect it here although I think extensions should be allowed to send cookies for such requests as users gave it the permission to do so. To fix that, I tried to use webRequest.onBeforeSendHeaders to add the cookie header (as required in Firefox anyways) but it didn't work. Did this work before? No Does this work in other browsers? N/A Chrome version: 63.0.3239.84 Channel: stable OS Version: Ubuntu 16.04 (64-bit) Flash Version: I've seen other issues with related concerns (relaxing security features from web extensions): https://bugs.chromium.org/p/chromium/issues/detail?id=796480 https://bugs.chromium.org/p/chromium/issues/detail?id=617198 https://bugs.chromium.org/p/chromium/issues/detail?id=788152
,
Jan 18 2018
@Reporter: Could you please provide us sample extension to check this issue.If possible please guide us with steps to reproduce the issue with the sample extension. This would help in further triaging of the issue. Thanks!
,
Jan 22 2018
Devlin, can you triage this?
,
Jan 24 2018
I'm not opposed to this, but I don't know the HTML spec well enough to know if there's anything fundamental this will break. hayato@, jbroman@ mentioned that you might be knowledgeable in this area - any thoughts? Assigning to karandeepb@ for now. |
||||
►
Sign in to add a comment |
||||
Comment 1 by krajshree@chromium.org
, Jan 17 2018