I'm developing a feature in an extension that allows users to override some local resources with remote ones.
To do so, we are using webRequest to redirect selected requests to the remote location. This works fine, Cookies can be sent correctly on those ones and remote resources can then be loaded (auth needed).
The tricky part, that does not work, is when said resources contain HTML imports.
Chrome will resolve these imports and send requests to get imported resources, but in that case, it does not send the Cookie header. So I used webRequest.onBeforeSendHeaders to add it (as required in Firefox anyways).
In that case, Chrome won't let the Cookie header be sent as I think it should.
Does someone know if this is expected/standard, or if it might be a bug in Chrome instead? Or maybe there's a workaround?
EDIT: The HTML import spec specifies that HTML imports should be fetched as CORS with same-origin mode. Meaning that it should not send credentials. Which Chrome seems to respect here.
The question is now: should extensions be allowed to add cookie headers then? Firefox seems to Allow that (I could add the missing cookie header).
EDIT2: I've dug up in chromium issues to find out that the core dev team is considering relaxing some security features for extensions, which might include this case. So I've opened an issue there