How to send a cookie with a cross-origin XMLHttpRequest from a Chrome extension
Posted: Mon Dec 09, 2024 8:33 am
When developing a Chrome extension, you might need to get an XMLHttpRequest that’s part of a content script to send cookies for a domain when making a request to that domain, if the origin is not that domain. Not much has been written about how to do this.
Dana Woodman, a Chrome extension developer discusses how to do this, but she makes a mistake, claiming that you need to designate the “cookies” permission in your manifest.json. This is not hong kong phone number material accurate. You can designate the “cookies” permission in manifest.json, but you only need to do that if you want to access cookie data separately from an XmlHttpRequest. Additionally, she makes a mistake that 99% of Chrome extension developers make, assuming that you have to put your domain in the “permissions” field in order to make cross-origin web requests to it.
There are a few Stack Overflow threads like this one and this one that explain the issue, but they also leave out key details and insights.
In this article, I’ll break down exactly what you need to do to pass along cookies to cross-origin XmlHttpRequests in a Chrome extension.
Why would anyone ever want to do this to begin with?

So that your web server endpoint for your Chrome extension can authenticate a user. If part of your Chrome extension setup is to let the user authenticate via a webpage, then you probably set a cookie or a session ID for that authenticated user. If your Chrome extension then makes XHR requests to your web server as part of its functionality, you’ll want to pass cookies along so that you know what user you’re dealing with.
First, let’s clarify the issue of placing “hosts” in the “permissions” field:
Most Chrome extension developers assume that if their
Dana Woodman, a Chrome extension developer discusses how to do this, but she makes a mistake, claiming that you need to designate the “cookies” permission in your manifest.json. This is not hong kong phone number material accurate. You can designate the “cookies” permission in manifest.json, but you only need to do that if you want to access cookie data separately from an XmlHttpRequest. Additionally, she makes a mistake that 99% of Chrome extension developers make, assuming that you have to put your domain in the “permissions” field in order to make cross-origin web requests to it.
There are a few Stack Overflow threads like this one and this one that explain the issue, but they also leave out key details and insights.
In this article, I’ll break down exactly what you need to do to pass along cookies to cross-origin XmlHttpRequests in a Chrome extension.
Why would anyone ever want to do this to begin with?

So that your web server endpoint for your Chrome extension can authenticate a user. If part of your Chrome extension setup is to let the user authenticate via a webpage, then you probably set a cookie or a session ID for that authenticated user. If your Chrome extension then makes XHR requests to your web server as part of its functionality, you’ll want to pass cookies along so that you know what user you’re dealing with.
First, let’s clarify the issue of placing “hosts” in the “permissions” field:
Most Chrome extension developers assume that if their