Chrome ignores Set-Cookie response headers from XMLHttpRequest within extension

Question

I have a background page in a Chrome extension that makes requests to a server. By using Chrome's debugging tools I can see that various Set-Cookie headers are returned. However, subsequent requests do not contain these cookies - Chrome seems to throw them away. This results in each request made to the server being counted as a new session.

Server-side I have the following headers set:

header("Access-Control-Allow-Origin: *");
header("Access-Control-Allow-Credentials: true");

Client-side I have withCredentials = true set on the XMLHttpRequest object.

I also have the address of the server within the permissions section of the extension manifest.

I feel that I'm very close to a solution here - the server is responding with the correct headers but I can't quite work out why Chrome decides not to store the cookies.

Is there something else I need to set in the headers, XMLHttpRequest object or manifest? Or is this just not possible?

Answer 1

I finally worked this one out. The trick is to put the "cookies" permission into the extension manifest. That's not obvious because the Chrome Extension documentation states only that it's required if you're using the chrome.cookies API - I'm not.

You also have to enable third party cookies. So I may need a totally different solution as enabling third party cookies is not something I want to be recommending.