UserAgent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0

Steps to reproduce the problem:
I'm developing a feature in an extension that allows users to override some local resources with remote ones on a SaaS service requiring authenticated access. As we do not want to store or ask for user's credentials we rely on them being logged in when using the feature. So we just need to send cookies.

To do so, we are using webRequest to redirect selected requests to the remote location when needed. This works fine, Cookies can be sent correctly on those ones and remote resources can then be loaded.

To arrive at hte problem, we would need to fetch a remote resource (protected by auth with cookies) which contains HTML imports. This will fail as the cookie is not sent in fetch requests for HTML imports.

What is the expected behavior?
Chrome should let web extensions send cookies for HTML import fetch requests.

What went wrong?
The HTML import spec specifies that HTML imports should be fetched as CORS with same-origin mode. Meaning that it should not send credentials.

Chrome seems to respect it here although I think extensions should be allowed to send cookies for such requests as users gave it the permission to do so.

To fix that, I tried to use webRequest.onBeforeSendHeaders to add the cookie header (as required in Firefox anyways) but it didn't work.

Did this work before? No 

Does this work in other browsers? N/A

Chrome version: 63.0.3239.84  Channel: stable
OS Version: Ubuntu 16.04 (64-bit)
Flash Version: 

I've seen other issues with related concerns (relaxing security features from web extensions):

https://bugs.chromium.org/p/chromium/issues/detail?id=796480
https://bugs.chromium.org/p/chromium/issues/detail?id=617198
https://bugs.chromium.org/p/chromium/issues/detail?id=788152