Network requests from content scripts that are same-site (NOTE: same-site, not necessarily same-origin!) relative to the document's URL SHOULD still include samesite=lax cookies. This does apparently NOT happen. STR: 1. Load the attached extension. (the extension will create a session cookie with SameSite=Lax at `httpbin.org`) 2. Click on the extension button to open https://httpbin.com/dummy 3. Look at the page (modified by the extension). Expected: ``` fetch to 'http://httpbin.org/cookies' received the following cookies: { "testcookie": "test from ..." } This is a same-origin request, SameSite cookies should be included. ``` Actual: ``` fetch to 'http://httpbin.org/cookies' received the following cookies: {} This is a same-origin request, SameSite cookies should be included. ``` Note: The expected behavior occurs if you open the DevTools console for the page from step 3 and run `runTest()` Note: The actual behavior (of not including cookies) is expected when you visit a third-party site such as example.com.
Bug 1635490 Comment 15 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Network requests from content scripts that are same-site (NOTE: same-site, not necessarily same-origin!) relative to the document's URL SHOULD still include samesite=lax cookies. This does apparently NOT happen. STR: 1. Load the attached extension. (the extension will create a session cookie with SameSite=Lax at `httpbin.org`) 2. Open https://httpbin.org/dummy 3. Look at the page (modified by the extension). Expected: ``` fetch to 'http://httpbin.org/cookies' received the following cookies: { "testcookie": "test from ..." } This is a same-origin request, SameSite cookies should be included. ``` Actual: ``` fetch to 'http://httpbin.org/cookies' received the following cookies: {} This is a same-origin request, SameSite cookies should be included. ``` Note: The expected behavior occurs if you open the DevTools console for the page from step 3 and run `runTest()` Note: The actual behavior (of not including cookies) is expected when you visit a third-party site such as example.com.