Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Send cookies with ajax call from chrome extension content script

I'm making a chrome extension for a site which provides api to check if user is signed in or not. The api is for a GET request. So when i'm, not singed in it gives.

{ status: "ok", authenticated: false}

When i'm signed in it gives me

{status : "ok", authenticated: true, id: 123}

This works fine on browser, chrome extensions like Postman and advanced Rest Client. But when i use it in my chrome extension background it always says i'm not a authenticated user. I figured out that the ajax call i make does not send cookies for the domain, but the chrome extension like Postman or Advanced REST client do send cookies along with XHR request.

Any idea how can i make ajax to send cookies along with it.

here is my ajax call from chrome extension

$.ajax({
    method:"GET",
    //  xhrFields: {
       //   withCredentials: true
       // },
       // crossDomain: true,
        url:"http://test-staging.herokuapp.com/user/details",
        success: function(result){
          if(result.status=="ok"){
            alert(JSON.stringify(result));
        cb(result.authenticated);
      }
    },
    error: function(err){
      alert("unable to authenticate user "+JSON.stringify(err))
    }
  })

UPDATE 1:

I'm able to get the domain cookies details from the background script. Now i'm looking how i can send the cookies with the ajax call?

like image 925
HariHaraSudhan Avatar asked Nov 11 '22 09:11

HariHaraSudhan


1 Answers

If the content script is injected into a page with an origin (protocol, host and port combination) different from the API origin:

  • Cookies could be blocked by the third-party cookie blocking feature.
    Check if it is enabled: chrome://settings/content/cookies.
    Background scripts are not affected by it (as of Chrome 81).
  • Either set withCredentials: true (credentials: 'include' for fetch)
    or add the origin into the permissions section of manifest.json.
    To receive the response, correct CORS headers are required in either case.

Prefer moving API calls into a background script and passing data to the content script with sendMessage to circumvent the third-party cookie blocking, CORB and CORS restrictions. If you choose to do so, add the API origin into the permissions section of manifest.json.

like image 103
Vitaly Kuznetsov Avatar answered Nov 15 '22 05:11

Vitaly Kuznetsov