Skip to content

User configured extensions do not work on private code host if using public Sourcegraph instance

Created by: lguychard

Discovered this while screensharing with Bas from Codecov.

Steps to reproduce:

  • Make sure you're logged in to sourcegraph.com, and your browser extension is pointing to sourcegraph.com
  • Enable codecov extension in your sourcegraph.com account
  • Visit a repo on a private code host (eg gitlab.sgdev.org, ghe.sgdev.org or docker run -p 8000:80 gitlab/gitlab-ce)
  • Witness codecov extension is not activated

A further look will reveal that only default extensions IDs are returned, as if you were in a logged out state: image

This is normal: through the corsOrigin setting, sourcegraph.com is set up to only accept requests from github.com, bitbucket.org and gitlab.com, and while the browser extension uses access tokens to bypass cors, it doesn't do it for sourcegraph.com.

While expected, this defeats the goal of being able to use extensions on private code even without a private Sourcegraph instance (in the way Codecov currently works on private Github repositories, for instance).

This limitation could potentially be overcome by making all requests from the background page of the extension.