Apple is still not making this easy.

Please reconsider this and support the countless plugins that don't require user interaction at all! It's frustrating enough that permissions.request() requires a click, but it exclusively receiving both the promise and the subscribable event is heart-breaking.

Thanks for the info @timothy.hatcher. My problem was trying to pull a cookie before those xhr calls. Requests for the cookies were silently failing before permissions were granted. I ended up just using a combination of permissions.contains and cookies.getAll(). This fixed both of my problems. I can now show my own error message letting users know to click the toolbar icon, and the cookies.getAll() will group every website listed in the permissions section of manifest.json and show "Always allow access to these websites". browser.permissions.contains({origins: ['*://*.website.com/*']}, (granted) => { 		if (!granted){ 				//useless call to group multiple sites into one request window. 				browser.cookies.getAll({}); 				sendResponse({status:'FAIL', error:'Please click the toolbar button above to allow us permission to Website.'}); 				return; 		} });

xhr.withCredentials is what helped me get cookies included in request headers. xhr.open('GET', url); xhr.withCredentials = true; xhr.send();

This is happening if you send utf-8 chars from the background or content scripts to the site. Safari still defaults to (Western ISO Latin 1) charset. /* background.js */ sendResponse({error: 'These utf-8 quotes won’t work: “”’‘ we’re forced to use html entities like it’s 2005.'}); /* content-script.js */ browser.runtime.sendMessage(e.data).then(function(response){ 	window.postMessage({action: e.data.action, response: response}, window.location.origin); });