pull down to refresh
0 sats \ 11 replies \ @k00b 21h \ parent \ on: Stacker Saloon
If they give you permission, I’m not sure how we’d gate it on our end.
I was thinking of adding a "read-only" version of the endpoint or even just an optional "read-only" query-string parameter. That way you could use a url like
"https://stacker.news/api/read-only-graphql" or "https://stacker.news/api/graphql?readOnly=true" so then you could be sure it couldn't run a mutationreply
I do think we can actually just allow queries and block mutations, by making the endpoint aware that we don't want to use mutations.
This requires more thinking and testing than just my sentence above. I know that we can do stuff to the GraphQL middleware.
If you don't mind the wait, I'll explore more about it in the coming days ^^
reply
yeah with the host permissions my background can break CORS and send whatever it wants. I need to check but I think it's making the requests with the logged in users credentials. This says https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#host-permissions
Access cookies with the chrome.cookies API.reply
Ah, you are right, it mentions that host permissions allow cross-site requests here:
Host permissions are specified as match patterns, and each pattern identifies a group of URLs for which the extension is requesting extra privileges. For example, a host permission could be"*://developer.mozilla.org/*".The extra privileges include:
- XMLHttpRequest and fetch access to those origins without cross-origin restrictions (though not for requests from content scripts, as was the case in Manifest V2).
I did not know that (I don't know anything about extensions), that is cool and scary haha
reply
(though not for requests from content scripts, as was the case in Manifest V2)
Yeah this is why I need to open the port to the background and do fetches from there. It's still crazy powerful. My claim to fame was a SEO extension that was calling random websites and toolbars unpublished json API's with 100k active users. It would basically overload their api with traffic overnight without any toolbar installs because I was mimicking how their extensions make their API calls. It also injected itself on every page so it was running on bank pages and stuff. I didnt keep it updated and it was removed when they went to manifest v3
reply
reply
I want to make one with a page action that is for submitting any url you may be on but this one is to help arbitrage links between HN and Stacker. You don't want to submit a duplicate so it needs to call the dup check for all the HN post urls. Right now its doing it in batches of 5. Heres my current graphql query
query UrlBatch($url0: String!, $url1: String!, $url2: String!, $url3: String!, $url4: String!) {
url0: dupes(url: $url0) { ...DupeInfo }
url1: dupes(url: $url1) { ...DupeInfo }
url2: dupes(url: $url2) { ...DupeInfo }
url3: dupes(url: $url3) { ...DupeInfo }
url4: dupes(url: $url4) { ...DupeInfo }
}
fragment DupeInfo on Item {
createdAt
commentSats
commentCredits
credits
id
ncomments
sub { name }
sats
title
updatedAt
upvotes
url
user { name id }
}
It shows a loading icon while its waiting for the batches of graphql queries to finish
Then if it has results is shows you info about the territory it was submitted to and how many sats its gotten
reply