2.0 KB · updated 2026-07-06 · md

v0.13.2.md

docs/release-notes/v0.13.2.md

Tesserae v0.13.2 — clip endpoint trusts only the published extension

<!-- translations:start -->

한국어 · 中文 · 日本語 · Русский · Español · Français · Deutsch

<!-- translations:end -->

Released 2026-07-02 · PyPI · GitHub release · pip install --upgrade tesserae==0.13.2

A small security hardening for the web clipper, now that the Clip to Tesserae Chrome extension is published.

POST /api/clip trusts only the published extension

tesserae serve accepts clips from the browser extension. Its CORS policy previously trusted any chrome-extension:// / moz-extension:// origin — so any extension a user happened to have installed could POST clips into their local server.

Now the extension origin must be allow-listed:

  • the published Clip to Tesserae extension is trusted by default (zero config), and
  • you can trust additional ids — your own unpacked dev build, Firefox, or a fork — by adding them to a clip_extension_ids list in ~/.tesserae/config.json:
{ "clip_extension_ids": ["your-dev-build-extension-id"] }

Loopback http(s) origins, the no-Origin (non-browser) caller, and the orthogonal shared-secret clip_token are unchanged. The list is read fresh on each request, so no restart is needed to trust a new id.

Upgrading

Drop-in over v0.13.x. If you clip with the published extension, nothing changes. If you develop the extension locally, add your unpacked build's id to clip_extension_ids.