Disable the site isolation in chrome settings to see the cookies in network pane. I faced the issue that cookies are sent if the server sends proper CORS headers, but chrome (version 70) would not show the cookies which are sent in the network tab. Disabling the site isolation started showing those cookies in network pane for me.
What is site isolation?
Site isolation is a new feature in chrome 67 and above. It is a new feature aimed at improving the security. Chrome follows multi-process architecture, which means that each site will get its own render process. So a website of attacker and website of the victim will have different render process. But it is possible that if the attacker website uses the victim website inside an iframe, then both of them will share the same render process. This made it possible for the attacker website (using victim website as an iframe) to inject malicious code inside the rendering process and read out victim site data like cookies, even though cookies will be not shared under same origin policy,
Site isolation will prevent it, by creating different renderer process even for the same website. Every render process will load only one document. Therefore the rendering process to load the attacker website and the render process to load the victim website will be different, even if the victim website is loaded inside an iframe in attacker website.
What are the issues due to site isolation?
One of the issues I faced in chrome 70 is that the cookies for cross-origin requests are not visible in network pane. And it is also mentioned as a known issue in the chromium issue page. Other issues include
- the rendering of page layout will not be synchronous. It is obvious as the page will not contain a single renderer process, and iframes will have different renderer process.
- unload handlers of the iframe will timeout and not run for a long time.
How to enable/disable site isolation?
- Disabling permanentlyIn order to disable it permanently, go to the settings page (chrome://flags/#enable-site-per-process) and click on disable. Here are the screenshotsChrome siteisolation settings ( chrome://flags/#enable-site-per-process )
- Running chrome with site isolation disabledThis option is good if you want to temporarily disable site isolation in chrome. To do so, you will have to run a new instance of chrome from the command line with the argument of site isolation as disabled.
/Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome --user-data-dir="/tmp/chrome_dev_session" --disable-site-isolation-trails
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-site-isolation-trails
You can also disable only for some sites in a comma separated using the command line
--isolate-origins=https://google.com,https://youtube.com . You can read more about running google chrome with arguments/flags in windows, mac os and linux here