Add Chrome extension for GitHub Chat#12
Conversation
Implements a Manifest V3 Chrome extension that injects a real-time chat widget into all github.com pages via content script + iframe. Includes toggle button in bottom-right corner, Firebase Firestore messaging, message deletion, and responsive design. Closes inquid#1 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: e158967fc9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| <script src="https://www.gstatic.com/firebasejs/8.5.0/firebase-app.js"></script> | ||
| <script src="https://www.gstatic.com/firebasejs/8.5.0/firebase-database.js"></script> | ||
| <script src="https://www.gstatic.com/firebasejs/8.5.0/firebase-firestore.js"></script> |
There was a problem hiding this comment.
Manifest V3 extension pages run under a CSP that only allows local scripts, so loading Firebase from https://www.gstatic.com/... will be blocked at runtime. In this state firebase never initializes and the chat widget fails to load/send messages on GitHub pages. Move these dependencies into packaged extension files (or bundle them) and reference them locally.
Useful? React with 👍 / 👎.
| var isSent = data.sender === myName; | ||
| var msgEl = document.createElement("div"); | ||
| msgEl.id = "message-" + id; | ||
| msgEl.className = "message " + (isSent ? "sent" : "received"); | ||
|
|
||
| var senderHtml = data.sender ? '<div class="sender">' + escapeHtml(data.sender) + "</div>" : ""; | ||
| var deleteBtnHtml = isSent | ||
| ? '<button class="delete-btn" data-id="' + id + '" title="Delete message">x</button>' |
There was a problem hiding this comment.
The "own message" check is based only on data.sender === myName, where myName is an arbitrary localStorage display name. If two people choose the same name, each client will treat the other's messages as theirs and expose the delete control, which can remove other users' messages in setups that allow client-side deletes. Use an authenticated, non-spoofable user ID for ownership checks.
Useful? React with 👍 / 👎.
- Bundle Firebase scripts locally instead of loading from CDN (P1: CSP compliance) - Add immutable user ID (myUid) for message ownership instead of display name (P2) - Update manifest web_accessible_resources to include firebase files Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
- Move Firebase config to firebase-config.js (gitignored) - Provide firebase-config.example.js as template - Load config via window.FIREBASE_CONFIG before initialization - Resolves GitHub secret scanning alerts for API key exposure Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 participant
Implements a Manifest V3 Chrome extension that injects a real-time chat widget into all github.com pages via content script + iframe. Includes toggle button in bottom-right corner, Firebase Firestore messaging, message deletion, and responsive design.
Closes #1