I'm also trying to convert my extension and bumped into this. Real funky. Essentially, I'm making a request to an API from my extension to login. That login request generates a uuid and sends it via Set-Cookie on the response. Then when I do subsequent requests, the cookie is attached to the request on Chrome, Edge, and Firefox, but not on Safari. withCredentials doesn't work, since I'm assuming Safari is treating this like a full blown CORS request where you need Access-Control-Allow-Credentials and a specific origin - https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials. Which would require significant work with a breaking change on the backend, and would need to detect the safari web extension origin and send it back allowed in the CORS header. It would be much simpler if Safari just did what other browsers did, and if your extension has the origin whitelisted with permission in the manifest (or by programatic permission w/ optional_permissions), the browser ignores CORS completely and treats it like a same origin request. Otherwise, if you haven't whitelisted the origin in the extension permissions the functionality is fine in all browsers - it's treated like a normal CORS request. It's weird because in Safari when I add the origin to the manifest, I can make the request cross-origin fine, but I bump into this credentials/cookie CORS issue. It's like CORS: Bamboozled Edition. 😆 Thanks for all the work on the web extensions in Safari 14!

An extra note. The same requests work fine in a normal website (as same-origin requests).

More info on what chrome is doing here: source.chromium.org's site here: https://source.chromium.org/chromium/chromium/src/+/master:chrome/renderer/extensions/chrome_extensions_renderer_client.cc;drc=93f8b74447f261ada0224ae54176fbecdf03a294;l=327-328 Chrome extensions use the chrome-extension:// URL scheme, which appears as cross-site to anything https:// or http://. The fix, which is to treat extension-initiated requests as same-site*, is available in Chrome 79 and later. Some use cases involving requests made from web frames on extension pages may also behave differently in Chrome 80. If you test on newer (80+) versions of Chrome and find that your extension is still broken, please file a bug on crbug.com using this template. Look at the chromium.org FAQ here: /updates/same-site/faq