Proposal: if extension has "storage" permission it should be allowed to use Web Storage API and Cookies API

[bershanskiy]

Problem

When the user blocks third-party cookies or all cookies, this block also applies to extension pages (background, action popup, injected frames, DevTools frames). This is counter-intuitive to both users and developers and can break extensions.

Background

This incompatibility always existed, but it might become more common as browsers move to block third-party cookies.

For example, this exact problem was reported to React DevTools engineers back in 2014 (fixed by avoiding Web Storage API and Cookies API): facebook/react-devtools#8.

Chromium bugs explaining the problem:

• https://crbug.com/1287890
• https://crbug.com/971848
• https://crbug.com/319328
• https://crbug.com/347140

Alternative fix

Users can grant extension permission to use third-party cookies by going to browser settings and adding an exclusion. This is very counter-intuitive.

Repro steps

Please see linked Chromium bugs.

Proposal

Extensions should be able to access Web Storage API and Cookies API if the extension has "storage" permission because:

• this relaxation does not harm user privacy since the extension can always emulate Web Storage API and Cookies API by saving data to chrome.storage.local
• this relaxation fixes some compatibility issues for users with strict privacy setting

[bershanskiy]

I just checked this again and apparently Chrome currently allows access to Browser Storage API (but not cookies) ewen when cookies are disabled globally.