The extension’s fetch() runs your request in the extension’s service worker instead of the page, so it is not bound by CORS. It has the same shape as the platform fetch, plus FKN-specific options.
A cookie-less cross-origin fetch exposes no user data: it reads what anyone on the network could read. It is granted automatically (severity 0) and still recorded in the user’s activity log.
Pass credentials: 'include' and the request carries the target site’s cookies, including SameSite=Lax/Strict and httpOnly cookies the page itself could never read. This is the capability behind session relay, and it always prompts: the user sees exactly which site the app wants to reach as them.
A string indicating whether credentials will be sent with the request always, never, or only when sent to a same-origin URL. Sets request's credentials.
credentials: 'include',
reason?: string |undefined
reason: 'Load your watch history from your existing account',
})
The cookie values never pass through your app’s code: the extension attaches them in its service worker via declarative request rules.
When an app genuinely needs a cookie’s value (for example a CSRF token to replay into a request body), cookies.get() returns a single cookie by name for a given URL. It is gated and logged per target origin, and it never enumerates: your app must name the cookie it wants.
Requests through the extension can set Origin and Referer, which page JavaScript cannot. These are applied by the service worker through declarative rules and are covered by the same consent as the fetch they belong to.
