i'm trying to set cookies such as __Host, __Secure, __utma through the chrome extension
chrome.cookies.set({
"url":"https://*.google.com",
"name":"__Host-1PLSID",
"value":"s.IN|s.youtube:JAhqi_myqzIlEExBcYSrKg9DiCjl6XLANupheaB_cCsAO_SgGlCGlX7zCkQPDCf0A.",
"path":"/",
"domain":".google.com",
"expirationDate":1830365600000,
"secure":false,
"httpOnly":false,
}, function (cookie) {
console.log(JSON.stringify(cookie));
console.log(chrome.extension.lastError);
console.log(chrome.runtime.lastError);
});
however in console getting an error Failed to parse or set cookie named "__Host-1PLSID". for all cookies starting with __. All other cookies are set without errors (without the uderscore prefix).
What could be the possible reason?
Thanks!
Related
I am writing a chrome extension that makes calls to an API and for that I am trying to get some existing session cookies in the service worker. My worker makes a call like this,
const cookies = await chrome.cookies.getAll({} )
const sessionToken = cookies.filter(
cookie =>
cookie.name === "__Secure-next-auth.session-token")[0].value
However the value I get back for the cookie is different than the value in chrome dev tools. Interestingly enough both values have the same prefix (the value is long, I only pasted enough to demonstrate my point):
Dev tools cookie: eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..dCOoryziuSU3zkJl...
chrome.cookies.getAll: eyJhbGciOiJkaXIiLCJlbmMiOiJBMjU2R0NNIn0..colJ2H6th0yLZ9Q8...
In case it's useful the cookies have the HttpOnly parameter set. Can anyone guess why the cookie values might be different?
My worker is running after the page has loaded (so there's no chance that I'm getting an old value), I know the value the chrome API is giving is completely invalid because when i try to use it with the API I'm calling, I get "invalid token". On the other hand, the cookie in dev tools works with my API.
I thought maybe the cookie value had been decoded/encoded in some way but then why would the prefix match? I thought maybe the chrome API is storing multiple cookies with the same name, but when I log cookies, there is only one cookie with this name.
Would appreciate any thoughts.
I have a application runnig where the contents open in iframe which is treated as cross-site scenarios.
I'm aware of the latest chrome 80+ version update where all the cookies are set to SameSite=Lax by default. My application was working fine with older version of chrome and with below tag added in my web.config file
<httpCookies requireSSL="true" sameSite="None"/>
Now with this tag added, I get error "Unrecognized attribute 'sameSite'. Note that attribute names are case-sensitive".
Without the tag, my application loads but I'm not able to browse through contents since it opens in iframe.
As per the blog here , asks me to add SameSite=None; Secure tag , but adding tag itself errors out. Am I missing out anything ?
As a work-around I have disabled SameSite by default cookies from flag chrome://flags/#same-site-by-default-cookies and now it seems to work fine.
Is there a way I can achieve this by adding tag in web.config rather than explicitly doing client side changes. Why am I getting unrecognized error for sameSite attribute ?
After lot of research found a way to do it from code-behind
HttpCookie Cookie = new HttpCookie("Cookie")
{
Value = "value to be stored,
Secure = true,
HttpOnly = true
};
This adds the cookie to context with http and secure flag as true.
The issue was due to the samesite was by default assigned as "Lax" after the recent chrome update. Since my website was opening in iframe the cookies were not being passed due to cross-site requests. Changing it to none resolved the issue.
I'd like to use the Chrome off-screen tab capture API in my extension. So, I worked up a manifest with the tabCapture permission, and some code to try it out:
chrome.tabCapture.captureOffscreenTab('http://example.com', {
audio: true,
video: true
}, function () {
console.log(arguments);
});
Unfortunately, I get this error on my console:
Unchecked runtime.lastError while running tabCapture.captureOffscreenTab: Extension is not whitelisted for use of the unstable, in-development chrome.tabCapture.captureOffscreenTab API.
How can I whitelist my extension?
I found a bug report where there was an ask to use _api_features.json rather than hard-coded extension IDs, but I couldn't find that file.
#wOxxOm answered this question!
Snag the ID of the extension on chrome://extensions. Run Chrome like so:
chrome.exe --whitelisted-extension-id=abcdefghijklmnopqrstuvwxyz
It works great!
I'm doing simple GET request to my URL and I get the error "ERR_INSECURE_RESPONSE". THis is fine, as certificate is self-signed. But I have two questions regarding it:
Is there a way to overcome this in extension? Like setting a flag in request or sth like that? (probably not likely)
Is there a way just to handle this error (to notify user)? I've checked all XMLHttpRequest fields and cannot see anything that can indicate this error. Status field has value of 0 (zero).
Any ideas?
No, the extension API does not offer any method to modify SSL settings or behavior.
You could use the chrome.webRequest.onErrorOccurred event to get notified of network errors. The error property will contain the network error code.
For example:
chrome.webRequest.onErrorOccurred.addListener(function(details) {
if (details.error == 'net::ERR_INSECURE_RESPONSE') {
console.log('Insecure request detected', details);
}
}, {
urls: ['*://*/*'],
types: ['xmlhttprequest']
});
var x = new XMLHttpRequest;
x.open('get','https://example.com');
x.send();
If for testing only, just start Chrome with the --ignore-certificate-errors flag to allow self-signed certificates to be used. This affects all websites in the same browsing session, so I suggest to use a separate profile directory for this purpose, by appending --user-data-dir=/tmp/temporaryprofiledirectory to the command line arguments.
Another way to avoid the error in the first place is to get a valid SSL certificate. For non-commericial purposes, you can get a free SSL certificate at https://www.startssl.com.
I'm doing simple GET request to my URL and I get the error "ERR_INSECURE_RESPONSE". THis is fine, as certificate is self-signed. But I have two questions regarding it:
Is there a way to overcome this in extension? Like setting a flag in request or sth like that? (probably not likely)
Is there a way just to handle this error (to notify user)? I've checked all XMLHttpRequest fields and cannot see anything that can indicate this error. Status field has value of 0 (zero).
Any ideas?
No, the extension API does not offer any method to modify SSL settings or behavior.
You could use the chrome.webRequest.onErrorOccurred event to get notified of network errors. The error property will contain the network error code.
For example:
chrome.webRequest.onErrorOccurred.addListener(function(details) {
if (details.error == 'net::ERR_INSECURE_RESPONSE') {
console.log('Insecure request detected', details);
}
}, {
urls: ['*://*/*'],
types: ['xmlhttprequest']
});
var x = new XMLHttpRequest;
x.open('get','https://example.com');
x.send();
If for testing only, just start Chrome with the --ignore-certificate-errors flag to allow self-signed certificates to be used. This affects all websites in the same browsing session, so I suggest to use a separate profile directory for this purpose, by appending --user-data-dir=/tmp/temporaryprofiledirectory to the command line arguments.
Another way to avoid the error in the first place is to get a valid SSL certificate. For non-commericial purposes, you can get a free SSL certificate at https://www.startssl.com.