Support sensitive token/headers for extensions | Voters

Support sensitive token/headers for extensions

under review

currently its just direct GET rules.

that way, we can add sensitive API keys when fetching it. but that's also loggable from TM like via sentry. is there a safe way to make calls that doesn't involve yall (owners) storing/logging our API keys etc like network requests?

July 28, 2024

Tony Dinh

marked this post as

under review

Tony Dinh

I don't understand. Can you clarify more?

Tony Dinh sure thing (this request is specifically for headers, but would love the caching as well since currently u can tell when the script that overhausl the app "snaps" into place after like a second after page load)

Enhance extension loading: Security, Speed, and Caching

Current limitations:

Scripts must be publicly accessible
API keys in URL parameters are vulnerable to logging
No built-in caching mechanism

Request:

Implement a secure, fast method to load extensions that:

Allows use of private scripts and sensitive API keys
Prevents logging/storage of keys by Typing Mind systems
Protects against network request interception
Maintains or improves current loading speed
Implements efficient caching for faster subsequent loads

Potential solutions:

Custom headers for authentication
Encrypted payloads in requests
Separate, secure input for API keys
Client-side caching with periodic updates

Benefits:

Enhanced security for proprietary/sensitive code
Improved performance through caching
Better user experience for power users and enterprises

This upgrade would significantly improve Typing Mind's appeal to security-conscious users while maintaining its performance edge.

Tony Dinh

a 
I see, thanks for clarifying.
From my understanding, it's not possible to achieve what you want. No matter what technique you use (in the "potential solutions"), the data can be read my TypingMind and even other extensions. The extension system is not designed for this use case.
I'll leave this ticket open for now in case it has more vote from other users.

Tony Dinh okay. my extensions (im sure you will have others w similar user cases if they are doing manual backups or otherwise) currently send a bunch of data to my server(s), including "sensitive"/private data (chat contents). my overarching concern is that sensitive parts of my network with my server (private) will be logged. such as api keys in the GET requests. so i have to resort to encrypting all the data client side and decrypting serverside (and vice versa). that way, even if a lot of content is logged, it doesn't end up in some analytics or logging framework in TM or its dependent systems.

thoughts on this? i guess api keys (like myserver.com/TM-extension.js?api-key=123) i can live with, but the content of the body is concerning like for POSTs with chat data

Tony Dinh

a From a practical point of view your data is safe, no one can read the body of your request/response.

From a technical point of view, it depends. I can confirm with you that we TypingMind don't store and log any or your personal data (see our privacy policy: https://www.typingmind.com/privacy). However, there are many other actors that can read your data, for example, if you have a browser extension like AdBlock, grammar checker, those can totally read your data, request body, response body, etc. before any of that got encrypted.