Get Inspired
Docs
Blog
Articles
Extensions
Welcome What's new in Chrome extensions
Support and feedback Get help with Chrome extensions File a bug Submit a feature request Find and follow a bug
Welcome Extensions 101 Development basics Run scripts on every page Inject scripts into the active tab Manage tabs Handle events with service workers
Welcome to Manifest V3 Extensions platform vision Overview of Manifest V3
What are themes? Frequently asked questions
Migrate to Manifest V3 Manifest V3 migration checklist Update the manifest Migrate to a service worker Update your code Replace blocking web request listeners Improve extension security Publish your extension Manifest V2 support timeline Known issues when migrating to Manifest V3
API reference Samples
Extension development overview Manifest file format Architecture overview Declare permissions About extension service workers Design the user interface Debug extensions
About extension service workers Extension service worker basics The extension service worker lifecycle Events in service workers Use WebSockets in service workers
Message passing Content scripts Match patterns Using promises Cross-origin isolation Storage and cookies
Use eval() in sandboxed iframes
Overriding Chrome settings Extending DevTools Fetching favicons OAuth2: Authenticate users with Google Override Chrome pages Rich notifications API Native messaging Audio recording and screen capture Use geolocation WebHID in extensions WebUSB in extensions File handling on Chrome OS Unit testing Chrome Extensions End-to-end testing for Chrome Extensions Tutorial: Testing Chrome Extensions with Puppeteer
Protect user privacy Permission warning guidelines Stay secure Accessibility (a11y) Localization message formats Give users options
Extension hosting Alternative extension installation methods Installing extensions on Linux Use Google Analytics 4
About Manifest V2 Getting started
What are extensions? What are themes? Frequently asked questions
Extension development overview Manifest file format Architecture overview Declare permissions Design the user interface Debugging extensions Samples
Message passing Content scripts Manage events with background scripts Match patterns Cross-origin isolation
Cross-origin XMLHttpRequest Using eval in Chrome extensions
Overriding Chrome settings Extending DevTools OAuth2: Authenticate users with Google Overriding Chrome pages Rich notifications API
Protect user privacy Declare permissions and warn users Stay secure Accessibility (a11y) Localization message formats Give users options
Chrome Web Store Alternative extension distribution options Installing extensions on Linux Tutorial: Google analytics
Extensions
Welcome What's new in Chrome extensions
Support and feedback Get help with Chrome extensions File a bug Submit a feature request Find and follow a bug
Welcome Extensions 101 Development basics Run scripts on every page Inject scripts into the active tab Manage tabs Handle events with service workers
Welcome to Manifest V3 Extensions platform vision Overview of Manifest V3
What are themes? Frequently asked questions
Migrate to Manifest V3 Manifest V3 migration checklist Update the manifest Migrate to a service worker Update your code Replace blocking web request listeners Improve extension security Publish your extension Manifest V2 support timeline Known issues when migrating to Manifest V3
API reference Samples
Extension development overview Manifest file format Architecture overview Declare permissions About extension service workers Design the user interface Debug extensions
About extension service workers Extension service worker basics The extension service worker lifecycle Events in service workers Use WebSockets in service workers
Message passing Content scripts Match patterns Using promises Cross-origin isolation Storage and cookies
Use eval() in sandboxed iframes
Overriding Chrome settings Extending DevTools Fetching favicons OAuth2: Authenticate users with Google Override Chrome pages Rich notifications API Native messaging Audio recording and screen capture Use geolocation WebHID in extensions WebUSB in extensions File handling on Chrome OS Unit testing Chrome Extensions End-to-end testing for Chrome Extensions Tutorial: Testing Chrome Extensions with Puppeteer
Protect user privacy Permission warning guidelines Stay secure Accessibility (a11y) Localization message formats Give users options
Extension hosting Alternative extension installation methods Installing extensions on Linux Use Google Analytics 4
About Manifest V2 Getting started
What are extensions? What are themes? Frequently asked questions
Extension development overview Manifest file format Architecture overview Declare permissions Design the user interface Debugging extensions Samples
Message passing Content scripts Manage events with background scripts Match patterns Cross-origin isolation
Cross-origin XMLHttpRequest Using eval in Chrome extensions
Overriding Chrome settings Extending DevTools OAuth2: Authenticate users with Google Overriding Chrome pages Rich notifications API
Protect user privacy Declare permissions and warn users Stay secure Accessibility (a11y) Localization message formats Give users options
Chrome Web Store Alternative extension distribution options Installing extensions on Linux Tutorial: Google analytics

Storage and cookies

Published on

Extensions can store cookies and access web storage APIs similarly to a normal website. However, in some cases these behave differently in extensions.

See chrome.storage for information on the extension API.

Storage

It is often desirable to use web platform storage APIs in extensions. This section explores the behavior of these APIs in an extension context, which can sometimes differ with how they behave on the web.

Persistence

Extension storage is not cleared when a user clears browsing data. This applies to any data stored using web storage APIs (such as Local Storage and IndexedDB).

By default, extensions are subject to the normal quota restrictions on storage, which can be checked by calling navigator.storage.estimate(). Storage can also be evicted under heavy memory pressure, although this is rare. To avoid this:

  • Request the "unlimitedStorage" permission, which affects both extension and web storage APIs and exempts extensions from both quota restrictions and eviction.
  • Call navigator.storage.persist() for protection against eviction.

Extension storage is shared across the extension's origin including the extension service worker, any extension pages (including popups and the side panel), and offscreen documents. In content scripts, calling web storage APIs accesses data from the host page the content script is injected on and not the extension.

Access in service workers

The IndexedDB and Cache Storage APIs are accessible in service workers. However, Local Storage and Session Storage are not.

If you need to access Local Storage or Session Storage from the service worker, use an offscreen document.

Partitioning

Partitioning is where keys are introduced for stored data to limit where it can be accessed. Storage has historically been keyed by origin.

Starting in Chrome 115, storage partitioning introduces changes to how partitioning keys are defined to prevent certain types of cross-site tracking. In practice, this means that if site A embeds an iframe containing site B, site B will not be able to access the same storage it would usually have when navigated to directly.

To mitigate the impact of this in extensions, two exemptions apply:

  • If a page with the chrome-extension:// scheme is embedded in any site, storage partitioning will not apply, and the extension will have access to its top-level partition.
  • If a page with the chrome-extension:// scheme includes an iframe, and the extension has host permissions for the site it is embedding, that site will also have access to its top-level partition.

Cookies

Cookies provide a way to store key/value pairs associated with a specific domain and path. They have limited value in extensions but understanding their behavior can be useful if you have a specific use case or have bundled a third-party script which uses them in its implementation.

Secure cookies

The Secure cookie attribute is only supported for the https:// scheme. Consequently, chrome-extension:// pages are not able to set cookies with this attribute.

This also means that extension pages cannot use other cookie attributes where the Secure attribute is required:

Partitioning

When an extension embeds a third-party site, that site will use the extension origin as the partition key. This means the site will not be able access the same cookies as if it was navigated to directly. See https://crbug.com/1463991.

Cookies set on chrome-extension:// pages always use SameSite=Lax. Consequently, they can never be accessed in iframes and partitioning is not relevant.

When an extension embeds a third-party website inside one of its pages, the behavior depends on the choices on Chrome's Privacy and security settings page:

  • If third-party cookies are enabled, the site can access cookies from a partition keyed based on its origin.
  • If third-party cookies are blocked, Chrome uses the extension origin as the partitioning key for the third-party site's cookies. This means that the site will not be able to access partitioned cookies associated with other partitions such as the cookies it could access if it were navigated to directly.

This setting is part of the Privacy Sandbox work and is being adjusted according to this timeline.

The chrome.cookies API currently operates on cookies from all partitions. For more information, see the API reference.

Published on Improve article

This site uses cookies to deliver and enhance the quality of its services and to analyze traffic. If you agree, cookies are also used to serve advertising and to personalize the content and advertisements that you see. Learn more about our use of cookies.