From fe48d4a4650e3bacc919271eae60494813b4fc91 Mon Sep 17 00:00:00 2001 From: nicomiguelino Date: Mon, 11 May 2026 10:21:04 -0700 Subject: [PATCH 1/2] fix: rewrite Origin header to bypass CORS restriction on Screenly API The Screenly API's nginx CORS config only allows requests from *.screenlyapp.com origins. Browser extension requests carry a chrome-extension:// or moz-extension:// origin, which nginx rejects with a 403 before the request reaches the application. Uses declarativeNetRequest to rewrite the Origin header to https://app.screenlyapp.com on all requests to api.screenlyapp.com, unblocking asset creation and all other API calls from the extension. Temporary fix until the backend CORS allowlist is updated to include browser extension origins. --- src/assets/rules.json | 20 ++++++++++++++++++++ src/manifest-chrome.json | 12 +++++++++++- src/manifest-firefox.json | 12 +++++++++++- webpack.common.js | 8 ++++++++ 4 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 src/assets/rules.json diff --git a/src/assets/rules.json b/src/assets/rules.json new file mode 100644 index 0000000..9b3ad40 --- /dev/null +++ b/src/assets/rules.json @@ -0,0 +1,20 @@ +[ + { + "id": 1, + "priority": 1, + "action": { + "type": "modifyHeaders", + "requestHeaders": [ + { + "header": "Origin", + "operation": "set", + "value": "https://app.screenlyapp.com" + } + ] + }, + "condition": { + "urlFilter": "https://api.screenlyapp.com/*", + "resourceTypes": ["xmlhttprequest"] + } + } +] diff --git a/src/manifest-chrome.json b/src/manifest-chrome.json index d3cd237..2479907 100644 --- a/src/manifest-chrome.json +++ b/src/manifest-chrome.json @@ -12,8 +12,18 @@ "activeTab", "storage", "scripting", - "cookies" + "cookies", + "declarativeNetRequest" ], + "declarative_net_request": { + "rule_resources": [ + { + "id": "screenly_api_rules", + "enabled": true, + "path": "assets/rules.json" + } + ] + }, "host_permissions": [ "http://*/*", "https://*/*" diff --git a/src/manifest-firefox.json b/src/manifest-firefox.json index 09eae82..664e344 100644 --- a/src/manifest-firefox.json +++ b/src/manifest-firefox.json @@ -12,8 +12,18 @@ "activeTab", "storage", "scripting", - "cookies" + "cookies", + "declarativeNetRequest" ], + "declarative_net_request": { + "rule_resources": [ + { + "id": "screenly_api_rules", + "enabled": true, + "path": "assets/rules.json" + } + ] + }, "host_permissions": [ "http://*/*", "https://*/*" diff --git a/webpack.common.js b/webpack.common.js index 6e947b2..f1434fa 100644 --- a/webpack.common.js +++ b/webpack.common.js @@ -69,6 +69,14 @@ module.exports = { }, ], }), + new CopyWebpackPlugin({ + patterns: [ + { + from: "src/assets/rules.json", + to: "assets/rules.json", + }, + ], + }), new HtmlWebpackPlugin({ filename: 'popup.html', template: './src/popup.html', From 1db786c9c81ef72bcca194d6635e52914b2a002e Mon Sep 17 00:00:00 2001 From: nicomiguelino Date: Mon, 11 May 2026 11:23:55 -0700 Subject: [PATCH 2/2] fix: narrow urlFilter to /api/* in declarativeNetRequest rule --- src/assets/rules.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/assets/rules.json b/src/assets/rules.json index 9b3ad40..6c0c37f 100644 --- a/src/assets/rules.json +++ b/src/assets/rules.json @@ -13,7 +13,7 @@ ] }, "condition": { - "urlFilter": "https://api.screenlyapp.com/*", + "urlFilter": "https://api.screenlyapp.com/api/*", "resourceTypes": ["xmlhttprequest"] } }