Major capture-quality + safety release, driven by an adversarial edge-case audit (20 findings, 16 fixed) plus the LinkedIn page-load capture fix. 83 unit + 12 e2e green (real Chromium, real MV3 contexts).
Install
- Download
api-reverse-engineer-1.10.0.zipbelow and unzip it. chrome://extensions→ enable Developer mode → Load unpacked → select the unzipped folder (remove any older copy first).- For reverse-engineering your own APIs, untick Redact secrets for full-fidelity, replay-ready captures. Redaction is a safe-to-share feature, not self-protection.
Highlights
Capture coverage
- Page-load capture (
document_startMAIN-world injection) — captures the API calls a SPA fires on load/navigation (LinkedIn Voyager graphql / RSC), previously missed entirely. - WebSocket capture — realtime chat / presence frames (
WS_SEND/WS_RECV), previously a blind spot. - Decode blob/arraybuffer XHR bodies — LinkedIn serves Voyager JSON over
responseType='blob'; the full responseType enum is handled and never throws into the page.
Fidelity (data lost even in raw mode)
fetch(new Request(url,{body}))request body captured (RSC/GraphQL writes werebody:null).- Big-int IDs preserved byte-exact in
request.bodyRaw(entityUrn/ snowflake). URLSearchParams/FormDatabodies serialized (were{}).- Reused
XMLHttpRequestno longer duplicates / mislabels captures.
Page safety
- Streaming / SSE responses no longer hang the page (response returned immediately; clone read detached + byte-capped).
clone()guarded.
Redaction (safe-to-share, no-op in raw mode)
- Recurse arrays + deep nesting (Voyager
included[]tokens leaked); redact URL query/fragment params.
Robustness
- Pre-recording buffer bounded by bytes + drop warning; closing the recording tab does an implicit STOP.
Deferred (low probability, documented): OPFS QuotaExceededError, large-capture download memory, fallback eviction signal, value-side header redaction.
Full notes in CHANGELOG.md.