pull down to refresh

0 sats \ 3 replies \ @ek 14 Jul \ parent \ on: Stacker Saloon
Are you sure even if you allow /api/graphql, that you can run mutations on behalf of the user inside an extension? I think the SameSite property of our cookies will not allow that.
Or will it work because of host permissions?
write
preview
100 sats \ 2 replies \ @carter 14 Jul
yeah with the host permissions my background can break CORS and send whatever it wants. I need to check but I think it's making the requests with the logged in users credentials. This says https://developer.chrome.com/docs/extensions/develop/concepts/declare-permissions#host-permissions Access cookies with the chrome.cookies API.
reply
0 sats \ 1 reply \ @ek 14 Jul
Ah, you are right, it mentions that host permissions allow cross-site requests here:
Host permissions are specified as match patterns, and each pattern identifies a group of URLs for which the extension is requesting extra privileges. For example, a host permission could be "*://developer.mozilla.org/*".
The extra privileges include:
  • XMLHttpRequest and fetch access to those origins without cross-origin restrictions (though not for requests from content scripts, as was the case in Manifest V2).
I did not know that (I don't know anything about extensions), that is cool and scary haha
reply
0 sats \ 0 replies \ @carter 14 Jul
(though not for requests from content scripts, as was the case in Manifest V2)
Yeah this is why I need to open the port to the background and do fetches from there. It's still crazy powerful. My claim to fame was a SEO extension that was calling random websites and toolbars unpublished json API's with 100k active users. It would basically overload their api with traffic overnight without any toolbar installs because I was mimicking how their extensions make their API calls. It also injected itself on every page so it was running on bank pages and stuff. I didnt keep it updated and it was removed when they went to manifest v3
reply