Notifications in a Browser Extension

  • How hard would it be to turn this into a substitutecomplement of the notifications menu?
    (assuming one's willing to trust it one's cookie and CSRF token)


    As in, have it show notifications from the forums as well, regardless of the tab you have opened?

    Doable... I should even be able to stealborrow a lot of code from SockBot and not have to write it anew. Either that, or get it from the tab itself if open, I'm pretty sure you can hook into background tabs? That wouldn't require logging in nor constant polling (I could probably just hijack the notification event for my porpoises).

    If more people would be interested I could take a look. A new topic with the proposal and discussion would probably be a good idea too.

  • Ok, getting the cookie should be trivial and not need an open tab.

    A valid CSRF token can be taken from am open tabs's DOM:

    <meta content="VGhpcyBpcyBOT1QgbXkgQ1NSRiB0b2tlbiA9UA==" name="csrf-token" />


    There's a "proper" way to get it, too.

    That's how even I got far with my API I started on, logging in and grabbing notifications. So I know how to do that bit of the workflow.

    I'm flagging for a split here, want to keep this topic mostly for release notification and tech support.

    moved - bz

  • Winner of the 2016 Presidential Election

    This would definitely be useful

  • @Onyx said:

    There's a "proper" way to get it, too.

    GET /session/csrf.json

    not too hard.

    Or, you could use a content script and just call Discourse.ajax which handles that for you and has auto-retry for CSRF failures.

    You can use postMessage() or XHR or fetch() to chrome-extension:// to give data back to the extension.

  • SockDev

    of course, the .json is required for this one endpoint undefined

    normally it's optional if you set the X-Requested-With header to XMLHttpRequest because you'll get JSON back from the endpoint for XHR requests....


    @riking said:

    GET /session/csrf.json

    That's what I meant, yes.

    @riking said:

    Or, you could use a content script

    Which requires the page open somewhere. Which is fine, but might as well not make it depend on that.

Log in to reply

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.