VS Code Extension v0.1.14
Highlights
- Fix the bridge authorization gate: requests with the trusted client header but no
Originheader are now accepted. Chrome omitsOriginwhen the extension fetches ahost_permissionshost (the local bridge), so the previous hard requirement silently broke the side panel (model list, chat). - Harden
run_terminalvalidation: block shell metacharacters (;,&,|,>,<, backtick, newline) and command substitution ($(...),${...}) so an allowed prefix (e.g.git status) can no longer smuggle a second command. - Make the Copilot CLI fallback abort-safe: reject immediately without spawning a child process when the request is already aborted, and detach the abort listener / clear the timeout on every settle path.
- Add
Access-Control-Max-Ageto CORS preflight responses to avoid redundant round-trips.
Tests
- New HTTP-level integration test for the authorization gate (401 / 403 / 404 / 200 / preflight).
- New regression tests for terminal command chaining/substitution and the already-aborted CLI path.
Artifact
- VSIX:
copilot-browser-bridge-vscode-0.1.14.vsix - Size: 40,453 bytes
- SHA256:
9562648C2B59E82A995CB75430288131EDD817AA4BF2E24F721562B9FD6370EA
Marketplace
If VSCE_PAT is valid, this VSIX is published to the Marketplace. Otherwise the same VSIX is attached to the GitHub Release and republished after PAT renewal without re-tagging.