In my managed enterprise app I have an embedded (iframe) web page (I don't own it) which uses accounts.google.com to do authentication. I'm also using a chrome manifest v3 extension to remove X-Frame-Options header and to set cookies which come from iframes (to solve SameSite=Lax set-cookie).
accounts.google.com loads correctly, all cookies are also seem to be set and eventually sent correctly, but accounts.google.com still says that I have cookies disabled.
What am I missing? Why does accounts.google.com still says I have cookies disabled? Even though they are correctly set (I have compared cookies in devtools embeded vs not-embeded accounts.google.com).
background.ts
...
chrome.webRequest.onHeadersReceived.addListener(
details => {
const cookiesHeaders = (
details.responseHeaders?.filter(h => h.name.toLowerCase() === 'set-cookie') || []
)
.map(h => h.value)
.filter((value): value is string => !!value);
const cookies = parseCookiesHeaders(cookiesHeaders);
...
chrome.cookies.set({
url: url,
name: cookie.name,
value: cookie.value,
path: cookie.path,
domain: cookie.domain,
secure: true,
httpOnly: cookie.httpOnly,
expirationDate: cookie.expires ? cookie.expires.getTime() / 1000 : undefined,
sameSite: 'no_restriction',
}),
...
chrome.declarativeNetRequest.updateSessionRules(
...
responseHeaders: [
{
header: 'X-Frame-Options',
operation: chrome.declarativeNetRequest.HeaderOperation.REMOVE,
},
{
header: 'Frame-Options',
operation: chrome.declarativeNetRequest.HeaderOperation.REMOVE,
},
...
solution based on @wOxxOm comments:
background.ts
chrome.scripting.registerContentScripts([
{
allFrames: true,
id: 'some-id',
js: ['inject-same-site-none-cookies.js'],
matches: ['<all_urls>'],
runAt: 'document_start',
world: 'MAIN',
},
]);
inject-same-site-none-cookies.ts
if (window !== top) {
const obj = Document.prototype,
k = 'cookie',
pd = Object.getOwnPropertyDescriptor(obj, k);
Object.defineProperty(obj, k, {
...pd,
set(v) {
return pd.set.call(this, v + '; SameSite=None; Secure');
},
});
}