fix: rewrite Origin header to bypass CORS restriction on Screenly API#216
Open
nicomiguelino wants to merge 2 commits into
Open
fix: rewrite Origin header to bypass CORS restriction on Screenly API#216nicomiguelino wants to merge 2 commits into
nicomiguelino wants to merge 2 commits into
Conversation
The Screenly API's nginx CORS config only allows requests from *.screenlyapp.com origins. Browser extension requests carry a chrome-extension:// or moz-extension:// origin, which nginx rejects with a 403 before the request reaches the application. Uses declarativeNetRequest to rewrite the Origin header to https://app.screenlyapp.com on all requests to api.screenlyapp.com, unblocking asset creation and all other API calls from the extension. Temporary fix until the backend CORS allowlist is updated to include browser extension origins.
There was a problem hiding this comment.
Pull request overview
This PR addresses Screenly API requests being blocked from browser extension origins by adding a Manifest V3 declarativeNetRequest ruleset that rewrites the Origin header for requests to api.screenlyapp.com, and wires the ruleset into the build + platform manifests.
Changes:
- Add a static DNR ruleset (
src/assets/rules.json) that setsOrigin: https://app.screenlyapp.comfor requests toapi.screenlyapp.com. - Update both Chrome and Firefox MV3 manifests to enable the ruleset and request
declarativeNetRequestpermission. - Update the webpack build to copy the ruleset JSON into the packaged extension under
assets/.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| webpack.common.js | Copies the new DNR ruleset into the build output so manifests can reference it. |
| src/manifest-chrome.json | Enables the DNR ruleset and adds declarativeNetRequest permission for Chrome MV3. |
| src/manifest-firefox.json | Enables the DNR ruleset and adds declarativeNetRequest permission for Firefox MV3. |
| src/assets/rules.json | Implements the header rewrite rule to spoof Origin for Screenly API calls. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
chrome-extension://andmoz-extension://origins with a 403, blocking all API calls from the extensiondeclarativeNetRequestto rewrite theOriginheader tohttps://app.screenlyapp.comon all requests toapi.screenlyapp.comrules.jsonstatic ruleset and wires it into both browser manifests and the webpack buildNotes
Test plan
generate_manifest chrome && npx webpack --config webpack.prod.js)