PE-6102 | Show session info in extension popup#9
Open
mihoward21 wants to merge 9 commits into
Open
Conversation
Clicking the toolbar icon now opens a popup. When session info is available it shows the user's name, avatar, and email plus the currently selected organization and smart account; otherwise it shows a welcome message explaining that no action is needed in the extension. Session info reaches the extension via a new externally-connectable message (splits-connect:setSessionInfo) that the Splits Teams app can send after sign-in, org/account changes, and sign-out. The payload is origin-checked and sanitized before being stored in browser.storage.local, and the popup re-renders live on storage changes. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…_connectable The Teams app has no way to know the extension ID at connect time (it only appears in large-RPC placeholders), so the page cannot use chrome.runtime.sendMessage. Instead the app posts the session info to its own window and the content script — attached only on the Teams origin — relays it to the background over internal messaging. The background still origin-checks the sender and sanitizes the payload before storing. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Org/account is per-dapp state (a user can be connected to two apps with different orgs/accounts at once), so a single global popup cannot display it honestly — drop it and show only the user, which is genuinely global. Popup markup now lives in <template> elements in the HTML; the script only clones and fills text. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Teams re-pushes on every load, so the only snapshots that age out are from sessions that ended while no Teams tab was open (expiry, remote logout, cleared cookies) — previously those displayed user details indefinitely. Also document the accepted spoofing surface on the session bridge and capture the avatar fallback by selector instead of sibling position. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Someone confused at a new app should see the reassurance copy first, whether or not they are signed in. The message is now static HTML and only the 'Signed in as' card is rendered dynamically. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
mihoward21
commented
Jun 12, 2026
| return senderOrigin === allowedOrigin; | ||
| } | ||
|
|
||
| function getSenderOrigin(sender: MessageSender) { |
Author
There was a problem hiding this comment.
mostly just reshuffling existing code here
mihoward21
commented
Jun 12, 2026
| // and the popup renders text only, so there is no injection path and nothing | ||
| // privileged to reach — and anything running on that origin can already read | ||
| // the real session from the page. | ||
| namespace SessionInfoBridge { |
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
r0ohafza
approved these changes
Jun 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Clicking the extension's toolbar icon now opens a popup (PE-6102).
How session data gets to the extension
The extension is a stateless bridge — it has no session of its own. The Splits Teams app posts session info to its own window whenever its auth state resolves (on every page load, and
nullwhen signed out). The content script — attached only on the Teams origin — relays it to the background over internal messaging. The background re-checks the sender origin and sanitizes the payload (string trimming/length caps, http(s)-only avatar URL) before persisting tobrowser.storage.local. The popup reads it on open and re-renders live viastorage.onChanged.Companion PR: 0xSplits/splits-teams#1497 syncs the message from
AppContainerwhenever the auth query resolves.Security
textContentonly (the welcome message is static HTML; the user card is a<template>; noinnerHTML), so there's no injection path into the privileged page. Documented onSessionInfoBridge.Notes
storagewas already granted.pnpm compileandpnpm build; visually checked signed-out, fresh-session🤖 Generated with Claude Code