v0.13.2 — clip endpoint trusts only the published extension
A small security hardening for the web clipper, now that the Clip to Tesserae Chrome extension is published.
POST /api/clip trusts only the published extension. tesserae serve's CORS policy previously trusted any chrome-extension:// / moz-extension:// origin — so any extension a user had installed could POST clips into their local server. Now the extension origin must be allow-listed: the published extension by default (zero config), plus any ids you add to a clip_extension_ids list in ~/.tesserae/config.json (your own unpacked dev build, Firefox, or a fork):
{ "clip_extension_ids": ["your-dev-build-extension-id"] }Loopback http(s) origins, the no-Origin caller, and the orthogonal clip_token control are unchanged. The list is read fresh per request — no restart to trust a new id.
Drop-in over v0.13.x. If you clip with the published extension, nothing changes.
Full notes: https://github.com/ca1773130n/Tesserae/blob/main/docs/release-notes/v0.13.2.md