Chrome Extension #724
Chrome Extension #724
Conversation
|
https://watch.screencastify.com/v/2XDnV1BxjyDmMmOPf3N6 - Current status |
|
Waiting for the prod version to be up so I can test that this works in prod too |
|
I need the CSRF_TRUSTED_ORIGINS change in settings.py to be checked in to test it with prod. |
cardboard/settings.py
Outdated
| @@ -43,6 +43,9 @@ | |||
| "cardinality-cardboard.herokuapp.com", | |||
| ] | |||
|
|
|||
| # For Cardboard Chrome Extension | |||
| CSRF_TRUSTED_ORIGINS = ["chrome-extension://cahmppnjflkbimomgndbcmbdoafdegbi"] | |||
There was a problem hiding this comment.
Is this guaranteed to be the same for everyone? Or is it different per user?
There was a problem hiding this comment.
This just got published in the Chrome extensions store. The one that everyone will download with have a fixed ID. In development, or if you side load the extension, you will have a different ID. Do you have a problem if we wildcard it instead "chrome-extension://*"?
There was a problem hiding this comment.
Ok got it. I guess as a bandaid we can do the wildcard, it's sort of a security hole but realistically there's not much to attack.
I think the way this "should" work is with token based auth. We could add oauth login to cardboard (link) and then use chrome.identity in the extension to authenticate with cardboard.
I think it's probably not actually that much work to implement this but we can punt on it for now and track it in a separate issue.
Add published Cardboard Chrome extension ID
All for other local host permissions
Deleted zip
No description provided.