Notifications in a Browser Extension


  • 🚽 Regular

    How hard would it be to turn this into a substitutecomplement of the notifications menu?
    (assuming one's willing to trust it one's cookie and CSRF token)


  • BINNED

    As in, have it show notifications from the forums as well, regardless of the tab you have opened?

    Doable... I should even be able to stealborrow a lot of code from SockBot and not have to write it anew. Either that, or get it from the tab itself if open, I'm pretty sure you can hook into background tabs? That wouldn't require logging in nor constant polling (I could probably just hijack the notification event for my porpoises).

    If more people would be interested I could take a look. A new topic with the proposal and discussion would probably be a good idea too.


  • 🚽 Regular

    Ok, getting the cookie should be trivial and not need an open tab.

    A valid CSRF token can be taken from am open tabs's DOM:

    <meta content="VGhpcyBpcyBOT1QgbXkgQ1NSRiB0b2tlbiA9UA==" name="csrf-token" />

  • BINNED

    There's a "proper" way to get it, too.

    That's how even I got far with my API I started on, logging in and grabbing notifications. So I know how to do that bit of the workflow.

    I'm flagging for a split here, want to keep this topic mostly for release notification and tech support.


    moved - bz


  • :belt_onion:

    This would definitely be useful



  • @Onyx said:

    There's a "proper" way to get it, too.

    GET /session/csrf.json

    not too hard.

    Or, you could use a content script and just call Discourse.ajax which handles that for you and has auto-retry for CSRF failures.

    You can use postMessage() or XHR or fetch() to chrome-extension:// to give data back to the extension.


  • FoxDev

    of course, the .json is required for this one endpoint :wtf:

    normally it's optional if you set the X-Requested-With header to XMLHttpRequest because you'll get JSON back from the endpoint for XHR requests....


  • BINNED

    @riking said:

    GET /session/csrf.json

    That's what I meant, yes.

    @riking said:

    Or, you could use a content script

    Which requires the page open somewhere. Which is fine, but might as well not make it depend on that.


Log in to reply