the network request in Safari web extension does't contain cookie header

btw, the request in the extension's local html page.

By the cookie that's attached to their network request, do you mean an HTTPOnly/network-only cookie? The current implementation of Safari Web Extensions does not support getting or setting HTTPOnly/network-only cookies.

Can you provide a little more information about what your use case is here? We can't comment on future plans, but it is very helpful to file a request at https://feedbackassistant.apple.com/ to help us understand your exact use case for this API.

xhr.withCredentials is what helped me get cookies included in request headers.

Code Block 
xhr.open('GET', url);
xhr.withCredentials = true;
xhr.send();

I'm also trying to convert my extension and bumped into this. Real funky.

Essentially, I'm making a request to an API from my extension to login. That login request generates a uuid and sends it via Set-Cookie on the response. Then when I do subsequent requests, the cookie is attached to the request on Chrome, Edge, and Firefox, but not on Safari.

withCredentials doesn't work, since I'm assuming Safari is treating this like a full blown CORS request where you need Access-Control-Allow-Credentials and a specific origin. Which would require significant work with a breaking change on the backend, and would need to detect the safari web extension origin and send it back allowed in the CORS header.

It would be much simpler if Safari just did what other browsers did, and if your extension has the origin whitelisted with permission in the manifest (or by programatic permission w/ optional_permissions), the browser ignores CORS completely and treats it like a same origin request.

Otherwise, if you haven't whitelisted the origin in the extension permissions the functionality is fine in all browsers - it's treated like a normal CORS request.

It's weird because in Safari when I add the origin to the manifest, I can make the request cross-origin fine, but I bump into this credentials/cookie CORS issue. It's like CORS: Bamboozled Edition. 😆

Thanks for all the work on the web extensions in Safari 14!

An extra note. The same requests work fine in a normal website (as same-origin requests).

More info on what chrome is doing here: source.chromium.org's site here: https://source.chromium.org/chromium/chromium/src/+/master:chrome/renderer/extensions/chrome_extensions_renderer_client.cc;drc=93f8b74447f261ada0224ae54176fbecdf03a294;l=327-328

Chrome extensions use the chrome-extension:// URL scheme, which appears as cross-site to anything https:// or http://. The fix, which is to treat extension-initiated requests as same-site*, is available in Chrome 79 and later. Some use cases involving requests made from web frames on extension pages may also behave differently in Chrome 80. If you test on newer (80+) versions of Chrome and find that your extension is still broken, please file a bug on crbug.com using this template.

Look at the chromium.org FAQ here:
/updates/same-site/faq

It is expected that an origin be listed in permissions or optional_permissions to be whitelisted for CORS in Safari. Otherwise normal CORS restrictions apply. Does adding the origin pattern you need to optional_permissions help?