I'm also trying to convert my extension and bumped into this. Real funky.
Essentially, I'm making a request to an API from my extension to login. That login request generates a uuid and sends it via
Set-Cookie on the response. Then when I do subsequent requests, the cookie is attached to the request on Chrome, Edge, and Firefox, but not on Safari.
withCredentials doesn't work, since I'm assuming Safari is treating this like a full blown CORS request where you need
Access-Control-Allow-Credentials and a
specific origin. Which would require significant work with a breaking change on the backend, and would need to detect the safari web extension origin and send it back allowed in the CORS header.
It would be much simpler if Safari just did what other browsers did, and if your extension has the origin whitelisted with permission in the manifest (or by programatic permission w/ optional_permissions), the browser ignores CORS completely and treats it like a same origin request.
Otherwise, if you haven't whitelisted the origin in the extension permissions the functionality is fine in all browsers - it's treated like a normal CORS request.
It's weird because in Safari when I add the origin to the manifest, I can make the request cross-origin fine, but I bump into this credentials/cookie CORS issue. It's like CORS: Bamboozled Edition. 😆
Thanks for all the work on the web extensions in Safari 14!