Skip to content

v0.13.2 — clip endpoint trusts only the published extension

Choose a tag to compare

@ca1773130n ca1773130n released this 04 Jul 05:04

A small security hardening for the web clipper, now that the Clip to Tesserae Chrome extension is published.

POST /api/clip trusts only the published extension. tesserae serve's CORS policy previously trusted any chrome-extension:// / moz-extension:// origin — so any extension a user had installed could POST clips into their local server. Now the extension origin must be allow-listed: the published extension by default (zero config), plus any ids you add to a clip_extension_ids list in ~/.tesserae/config.json (your own unpacked dev build, Firefox, or a fork):

{ "clip_extension_ids": ["your-dev-build-extension-id"] }

Loopback http(s) origins, the no-Origin caller, and the orthogonal clip_token control are unchanged. The list is read fresh per request — no restart to trust a new id.

Drop-in over v0.13.x. If you clip with the published extension, nothing changes.

Full notes: https://github.com/ca1773130n/Tesserae/blob/main/docs/release-notes/v0.13.2.md