Skip to content

api endpoint to upload custom extensions and restart #71

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rgarcia merged 27 commits into from
Oct 6, 2025
Merged

api endpoint to upload custom extensions and restart #71

rgarcia merged 27 commits into from
Oct 6, 2025

Conversation

@rgarcia
Copy link
Contributor

@rgarcia rgarcia commented Sep 25, 2025
edited by cursor bot
Loading

  • Adds an API endpoint for receiving an upload of unpacked chrome extensions, placing them in /home/kernel/extensions/ and then restarting chromium
  • Uses existing /chromium/flags overlay mechanism to override the flags we launch the instance with
  • Replaces start-chromium.sh with a proper program since flag logic was getting complicated. I think this brings a little bit more sanity to the process of applying CHROMIUM_FLAGS (what we launch the instance with) and overlaying / merging the content of /chromium/flags at runtime
  • Some updates to how the upstream CDP URL tracking / updating work to allow for additional subscribers to updates

Checklist

  • A link to a related issue in our repository
  • A description of the changes proposed in the pull request.
  • @mentions of the person or team responsible for reviewing proposed changes.

Note

Adds POST /chromium/upload-extensions-and-restart and a new Go-based chromium-launcher, updates flag handling, DevTools proxy, OpenAPI/client, Docker images, and tests/CI.

  • API:
    • POST /chromium/upload-extensions-and-restart: accepts zipped extensions, extracts to /home/kernel/extensions/<name>, updates runtime flags (/chromium/flags), restarts Chromium via supervisorctl, and waits for DevTools readiness.
    • Wire UpstreamManager and scale-to-zero controller into ApiService and server startup.
  • Flag handling:
    • New chromiumflags lib to parse/merge base/runtime flags and write/read structured flag files; comprehensive unit tests.
  • Launcher & Images:
    • Replace shell start-chromium.sh with Go chromium-launcher (supports headless/headful, flag merge, run-as-user); add unit tests and CI workflow.
    • Update headful/headless Dockerfiles to build/copy chromium-launcher and supervisor configs to invoke it.
  • DevTools Proxy:
    • Add pub/sub (Subscribe) to UpstreamManager and broadcast updates; tests updated/added.
  • OpenAPI/Client:
    • Extend spec with new endpoint; regenerate oapi client/server types and handlers.
  • E2E/Playwright:
    • Add TestExtensionUploadAndActivation and Playwright command to verify title changes via content script.

Written by Cursor Bugbot for commit 322545f. This will update automatically on new commits. Configure here.

TL;DR

Adds an API endpoint to upload and load custom browser extensions, triggering a browser restart.

Why we made these changes

This addresses a feature request to allow users to install their own browser extensions (e.g., ad-blockers, testing tools), enabling greater customization of the browser environment.

What changed?

  • API: Added a new POST /chromium/upload-extensions-and-restart endpoint. It handles uploading zipped extensions, extracting them, updating runtime flags, and restarting the browser via supervisorctl.
  • Chromium Launcher: Replaced the start-chromium.sh scripts with a new, unit-tested Go binary (chromium-launcher). This launcher is responsible for merging base and runtime flags, allowing extensions to be loaded dynamically.
  • DevTools Proxy: Implemented a pub/sub mechanism in the UpstreamManager to notify the API service when the browser is ready after a restart, ensuring the request waits for completion.
  • API Spec: Updated openapi.yaml and regenerated the Go client to include the new extension upload endpoint.

Validation

  • Added a new end-to-end test (TestExtensionUploadAndActivation) that uploads a sample extension and uses Playwright to verify it is loaded and active in the browser.
  • Added unit tests for the new chromium-launcher and chromiumflags library.
  • Added a new GitHub Actions workflow to run the launcher's unit tests on every push.

Description generated by Mesa. Update settings

@rgarcia
add api endpoint to upload custom extensions and restart
7993d69 
- adjusts flag logic to merge flags and treat /chromium/flags as a runtime overlay
cursor[bot]

This comment was marked as outdated.

Sign in to view

mesa-dot-dev[bot]
mesa-dot-dev bot reviewed Sep 25, 2025
View reviewed changes
Copy link

@mesa-dot-dev mesa-dot-dev bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Performed full review of e0ca1d9...7993d69

Analysis

  1. Shell Script Flag Parsing Vulnerabilities - The flag merging logic may have edge cases with complex flag formats that could lead to unexpected behavior or security issues.

  2. Hardcoded Ownership Assumptions - The implementation contains hardcoded ownership changes that make specific deployment assumptions, reducing flexibility for different environments.

  3. External Dependencies in Tests - End-to-end tests rely on external services which could impact reliability and cause intermittent test failures.

  4. Restart Coordination Race Conditions - Despite attention to synchronization, potential race conditions may exist in the DevTools proxy pub-sub mechanism during browser restarts.

Tip

⚡ Quick Actions

This review was generated by Mesa.

Actions:

Slash Commands:

  • /review - Request a full code review
  • /review latest - Review only changes since the last review
  • /describe - Generate PR description. This will update the PR body or issue comment depending on your configuration
  • /help - Get help with Mesa commands and configuration options

10 files reviewed | 0 comments | Review on Mesa | Edit Reviewer Settings

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

@rgarcia rgarcia requested a review from Sayan- October 1, 2025 22:46
Sayan-
Sayan- reviewed Oct 2, 2025
View reviewed changes
Copy link
Contributor

@Sayan- Sayan- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

generally looks good! a few small q's about the API

server/cmd/api/api/chromium.go Outdated
Comment on lines 74 to 76
if fieldName != "extensions.zip_file" && fieldName != "extensions.name" {
return oapi.UploadExtensionsAndRestart400JSONResponse{BadRequestErrorJSONResponse: oapi.BadRequestErrorJSONResponse{Message: "invalid form field: " + part.FormName()}}, nil
}
Copy link
Contributor

@Sayan- Sayan- Oct 2, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit - redundant with the following switch

Sayan-
Sayan- reviewed Oct 2, 2025
View reviewed changes
cursor[bot]

This comment was marked as outdated.

Sign in to view

Sayan-
Sayan- reviewed Oct 2, 2025
View reviewed changes
Copy link
Contributor

@Sayan- Sayan- left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

flag changes are slick! pending bot comments and otherwise lgtm

rgarcia
rgarcia commented Oct 2, 2025
View reviewed changes
Copy link
Contributor Author

@rgarcia rgarcia left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not finished yet but submitting comments so far

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]
cursor bot reviewed Oct 6, 2025
View reviewed changes
@rgarcia rgarcia merged commit 716fc8e into main Oct 6, 2025
5 checks passed
@rgarcia rgarcia deleted the raf/kernel-262-feature-request-ability-to-add-browser-extensions branch October 6, 2025 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Sayan- Sayan- Sayan- left review comments

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@mesa-dot-dev mesa-dot-dev[bot] mesa-dot-dev[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@rgarcia @Sayan-