Extensions can store cookies and access web storage APIs similarly to a normal website. However, in some cases these behave differently in extensions.
chrome.storage for information on the extension API.
It is often desirable to use web platform storage APIs in extensions. This section explores the behavior of these APIs in an extension context, which can sometimes differ with how they behave on the web.
By default, extensions are subject to the normal quota restrictions on storage, which can be checked
navigator.storage.estimate(). Storage can also be evicted under
heavy memory pressure, although this is rare. To avoid this:
- Request the
"unlimitedStorage"permission, which affects both extension and web storage APIs and exempts extensions from both quota restrictions and eviction.
navigator.storage.persist()for protection against eviction.
Extension storage is shared across the extension's origin including the extension service worker, any extension pages (including popups and the side panel), and offscreen documents. In content scripts, calling web storage APIs accesses data from the host page the content script is injected on and not the extension.
Access in service workers
If you need to access Local Storage or Session Storage from the service worker, use an offscreen document.
Partitioning is where keys are introduced for stored data to limit where it can be accessed. Storage has historically been keyed by origin.
Starting in Chrome 115, storage partitioning introduces changes to how partitioning keys are defined to prevent certain types of cross-site tracking. In practice, this means that if site A embeds an iframe containing site B, site B will not be able to access the same storage it would usually have when navigated to directly.
To mitigate the impact of this in extensions, two exemptions apply:
- If a page with the
chrome-extension://scheme is embedded in any site, storage partitioning will not apply, and the extension will have access to its top-level partition.
- If a page with the
chrome-extension://scheme includes an iframe, and the extension has host permissions for the site it is embedding, that site will also have access to its top-level partition.
Cookies provide a way to store key/value pairs associated with a specific domain and path. They have limited value in extensions but understanding their behavior can be useful if you have a specific use case or have bundled a third-party script which uses them in its implementation.
Secure cookie attribute is only supported for the
chrome-extension:// pages are not able to set cookies with this attribute.
This also means that extension pages cannot use other cookie attributes where the
Secure attribute is
Cookies set on chrome-extension:// pages always use
SameSite=Lax. Consequently, they
can never be accessed in iframes and partitioning is not relevant.
When an extension embeds a third-party website inside one of its pages, the behavior depends on the choices on Chrome's Privacy and security settings page:
- If third-party cookies are enabled, the site can access cookies from a partition keyed based on its origin.
- If third-party cookies are blocked, Chrome uses the extension origin as the partitioning key for the third-party site's cookies. This means that the site will not be able to access partitioned cookies associated with other partitions such as the cookies it could access if it were navigated to directly.
This setting is part of the Privacy Sandbox work and is being adjusted according to this timeline.