v0.13.2.md
docs/release-notes/v0.13.2.md
Tesserae v0.13.2 — clip endpoint trusts only the published extension
<!-- translations:start -->
한국어 · 中文 · 日本語 · Русский · Español · Français · Deutsch
<!-- translations:end -->
Released 2026-07-02 · PyPI · GitHub release · pip install --upgrade tesserae==0.13.2
A small security hardening for the web clipper, now that the Clip to Tesserae Chrome extension is published.
POST /api/clip trusts only the published extension
tesserae serve accepts clips from the browser extension. Its CORS policy previously trusted any chrome-extension:// / moz-extension:// origin — so any extension a user happened to have installed could POST clips into their local server.
Now the extension origin must be allow-listed:
- the published Clip to Tesserae extension is trusted by default (zero config), and
- you can trust additional ids — your own unpacked dev build, Firefox, or a fork — by adding them to a
clip_extension_idslist in~/.tesserae/config.json:
{ "clip_extension_ids": ["your-dev-build-extension-id"] }
Loopback http(s) origins, the no-Origin (non-browser) caller, and the orthogonal shared-secret clip_token are unchanged. The list is read fresh on each request, so no restart is needed to trust a new id.
Upgrading
Drop-in over v0.13.x. If you clip with the published extension, nothing changes. If you develop the extension locally, add your unpacked build's id to clip_extension_ids.