This fetch call runs in the context of the extension's background page, usually the non-private browsing mode. The problem with this logic is that if the server responds with any cookies, that it is associated with the default browsing mode. This can result in privacy issues in the following situations:
The user uses the extension in Private browsing mode (incognito)
The user uses the extension in a container tab
The user uses the extension on a subresource when State partitioning is enabled (which usually the default).
To resolve this issue, I recommend to pass the two additional flags to the fetch call:
credentials: "omit",
cache: "no-store",
An alternative (in Firefox, as long as the extension is Manifest Version 2) is to call fetch from the content script. Then it will automatically be associated with the right cookie store.
(This privacy issue was originally reported at https://bugzilla.mozilla.org/show_bug.cgi?id=1833842)
The extension calls
fetch()from the background page:https://github.com/TheFantasticWarrior/chrome-extension-imagus/blob/24072e8c4d40f871ed30bbf3215c02412fbcbdad/src/js/app_bg.js#L224-L226 https://github.com/TheFantasticWarrior/chrome-extension-imagus/blob/24072e8c4d40f871ed30bbf3215c02412fbcbdad/src/js/app_bg.js#L178-L180
This
fetchcall runs in the context of the extension's background page, usually the non-private browsing mode. The problem with this logic is that if the server responds with any cookies, that it is associated with the default browsing mode. This can result in privacy issues in the following situations:To resolve this issue, I recommend to pass the two additional flags to the
fetchcall:An alternative (in Firefox, as long as the extension is Manifest Version 2) is to call
fetchfrom the content script. Then it will automatically be associated with the right cookie store.