SameSite cookie in Safari web extension

I'm porting a Chrome extension to Safari. All works well besides the auth flow, which uses SameSite=Strict cookies.

On Chrome, such cookies are easily set and work as expected, but not on Safari.

Now, as I understand, technically, requests from chrome-extension:// and safari-web-extension:// origins are cross-site in relation to the server, which makes me think that on Chrome, the SameSite=Strict attribute is simply ignored as an exception for extensions. With that said, the backend team wants to keep the attribute for security reasons and so removing it or replacing it with SameSite=None isn't an option.

Is this an intended behavior of Safari or a bug? Is there a way to get around this without changing the attribute?

Post not yet marked as solved Up vote post of areknawo Down vote post of areknawo
1.2k views
Posted by
areknawo
Reply

  • I have a similar issue, but in my case, the server's Set-Cookie has SameSite=None

    mr-fixit-nyt
Add a Comment

Replies

Having the same issue debugging a safari web extension converted using the xcrun command from an existing chrome web extension written in JavaScript. Are there any plans to look at this Safari behavior?

Posted by
mdz-polymorph
Post not yet marked as solved Up vote reply of mdz-polymorph Down vote reply of mdz-polymorph
Add a Comment