Chrome Extension: cookie bridge + auto-refresh + header capture

[Chkhikvadze]

Goal

Build a Chrome Extension that acts as a secure bridge between the user's LinkedIn browser session and the sync service. This is the recommended auth approach — zero detection risk because the user logs in normally.

Why Chrome Extension?

Approach	Detection	2FA	Auto-refresh
Chrome Extension	❌ none	✅ user handles	✅ automatic
Playwright login	⚠️ medium	❌ blocks	❌ manual
Manual cookie paste	❌ none	✅ user handles	❌ manual

Architecture

chrome-extension/
├── manifest.json          # MV3, permissions: cookies, webRequest, storage
├── background.js          # service worker
│   ├── cookie watcher     # chrome.cookies.onChanged → POST /accounts/refresh
│   ├── header interceptor # chrome.webRequest → capture x-li-track, csrf-token
│   └── sync trigger       # manual button → POST /sync
├── popup.html             # UI: status, account, sync button, service URL config
└── popup.js

manifest.json (key parts)

{
  "manifest_version": 3,
  "permissions": ["cookies", "storage", "webRequest"],
  "host_permissions": [
    "https://www.linkedin.com/*",
    "http://localhost:8899/*"
  ],
  "background": { "service_worker": "background.js" }
}

Cookie auto-refresh flow

// background.js
chrome.cookies.onChanged.addListener(({ cookie, removed }) => {
  if (cookie.domain.includes("linkedin.com") && cookie.name === "li_at" && !removed) {
    // Get JSESSIONID too
    chrome.cookies.get({ url: "https://www.linkedin.com", name: "JSESSIONID" }, (jsession) => {
      fetch(`${SERVICE_URL}/accounts/refresh`, {
        method: "POST",
        headers: { "Content-Type": "application/json" },
        body: JSON.stringify({
          account_id: storedAccountId,
          li_at: cookie.value,
          jsessionid: jsession?.value || null
        })
      });
    });
  }
});

Header capture (x-li-track, csrf-token)

chrome.webRequest.onSendHeaders.addListener(
  (details) => {
    const track = details.requestHeaders.find(h => h.name === "x-li-track");
    const csrf  = details.requestHeaders.find(h => h.name === "csrf-token");
    if (track || csrf) {
      // store for provider use
      chrome.storage.local.set({ xLiTrack: track?.value, csrfToken: csrf?.value });
    }
  },
  { urls: ["https://www.linkedin.com/voyager/api/*"] },
  ["requestHeaders"]
);

Service-side: POST /accounts/refresh

See issue #8 — this endpoint must exist for the extension to push updated cookies.

Acceptance criteria

• User installs extension, opens LinkedIn (normal login)
• Extension captures cookies and registers account via POST /accounts
• When li_at changes → auto-calls POST /accounts/refresh
• Popup shows sync status + button to trigger manual sync

[dev-miro26]

Hi, @Chkhikvadze
Can I work on this issue?

[dataCenter430]

Hi, @Chkhikvadze thanks for reporting this.
That makes sense.
I'd love to work on this, since I'm a big fan of Desearch-ai.
Please assign it to me, if needed.
Thank you

[dev-miro26]

Hi, @Chkhikvadze
Current codebase does not support linked in sync feature.
On the provider.py, list_threads and fetch_messages functions predefined but no implemented feature.
Do you want to implement this functions too on this issue?
Please let me know. I appreciate you. 👍

[dev-miro26]

@Chkhikvadze
Could you please reply to my asking?

[Chkhikvadze]

Maintainer sweep: sorry for the delay here. This is still a valid enhancement, but current priority is stabilizing the live sync/provider blockers in #37, #38, #39, and #40 first. If you still want to work on this, please keep it scoped to the extension bridge pieces in this issue and target the current local API flow rather than broad provider changes. A small, focused PR is welcome.