Login to accounts.google.com with an iframe

Question

In my managed enterprise app I have an embedded (iframe) web page (I don't own it) which uses accounts.google.com to do authentication. I'm also using a chrome manifest v3 extension to remove X-Frame-Options header and to set cookies which come from iframes (to solve SameSite=Lax set-cookie).

accounts.google.com loads correctly, all cookies are also seem to be set and eventually sent correctly, but accounts.google.com still says that I have cookies disabled.

What am I missing? Why does accounts.google.com still says I have cookies disabled? Even though they are correctly set (I have compared cookies in devtools embeded vs not-embeded accounts.google.com).

background.ts

...

chrome.webRequest.onHeadersReceived.addListener(
  details => {
    const cookiesHeaders = (
      details.responseHeaders?.filter(h => h.name.toLowerCase() === 'set-cookie') || []
    )
      .map(h => h.value)
      .filter((value): value is string => !!value);
    const cookies = parseCookiesHeaders(cookiesHeaders);

...

chrome.cookies.set({
      url: url,
      name: cookie.name,
      value: cookie.value,
      path: cookie.path,
      domain: cookie.domain,
      secure: true,
      httpOnly: cookie.httpOnly,
      expirationDate: cookie.expires ? cookie.expires.getTime() / 1000 : undefined,
      sameSite: 'no_restriction',
}),

...

chrome.declarativeNetRequest.updateSessionRules(
...

responseHeaders: [
          {
            header: 'X-Frame-Options',
            operation: chrome.declarativeNetRequest.HeaderOperation.REMOVE,
          },
          {
            header: 'Frame-Options',
            operation: chrome.declarativeNetRequest.HeaderOperation.REMOVE,
          },
...

1) They may also use cookies on `google.com`. 2) If the site has a service worker you need to unregister it before showing the iframe, [example](https://stackoverflow.com/a/74823389/). — wOxxOm, Dec 20 '22 at 15:21
1. what do you mean? i run `chrome.cookies.set` for all `sub_frames`, so if cookies are being set for `google.com` my logic would also set it. 2. `accounts.google.com` doesn't set any service-workers, probably not the reason — nikitakot, Dec 20 '22 at 16:43
Wrong guess, probably, since you said all cookies seem to be there. Try debugging the site's code in devtools: use Ctrl-Shift-F search to find the error message and set a breakpoint in the place it's being shown, then walk up the call stack until you find the culprit. — wOxxOm, Dec 21 '22 at 08:45
@wOxxOm thanks for the suggestion. I found the reason why the cookies check fails: if `document.cookie = 'key=value; SameSite=None; Secure';` misses `SameSite=None; Secure';` (same as with the `set-cookie` header) cookies are not set in an iframe. Can extension somehow help bypassing it? Append `SameSite=None; Secure';` to all `document.cookie` being set? — nikitakot, Dec 21 '22 at 11:22
You can spoof it in [page context](/a/9517879) e.g. let obj = Document.prototype, k = 'cookie', pd = Object.getOwnPropertyDescriptor(obj, k); Object.defineProperty(obj, k, { ...pd, set(v) { return pd.set.call(this, v + '; SameSite=None; Secure') } }); — wOxxOm, Dec 21 '22 at 11:55

score 0 · Accepted Answer · answered Dec 23 '22 at 16:01

solution based on @wOxxOm comments:

background.ts

chrome.scripting.registerContentScripts([
  {
    allFrames: true,
    id: 'some-id',
    js: ['inject-same-site-none-cookies.js'],
    matches: ['<all_urls>'],
    runAt: 'document_start',
    world: 'MAIN',
  },
]);

inject-same-site-none-cookies.ts

if (window !== top) {
  const obj = Document.prototype,
    k = 'cookie',
    pd = Object.getOwnPropertyDescriptor(obj, k);
  Object.defineProperty(obj, k, {
    ...pd,
    set(v) {
      return pd.set.call(this, v + '; SameSite=None; Secure');
    },
  });
}

Login to accounts.google.com with an iframe

1 Answers1