Skip to content

ScriptVault v2.3.4

Latest
Latest

Choose a tag to compare

View all tags
@SysAdminDoc SysAdminDoc released this 29 Apr 01:06
· 76 commits to main since this release
v2.3.4
eb40a83

ScriptVault v2.3.4

Two CSP-blocked inline <script> blocks were silently breaking the dashboard's view-settings toolbar (zoom + density) and the DevTools panel registration. Also relocates the self-distribution signing keys out of the repo root so Chrome's "Load unpacked" stops warning about bundled key files.

Now live on the Chrome Web Store.

Install (Brave / Chrome / Edge — recommended)

Dragdrop CRX installs are blocked by Chromium 75+ for any extension not in the Web Store, regardless of signing or developer mode. Use Load unpacked instead:

  1. Download ScriptVault-v2.3.4.zip and extract it to a permanent folder (e.g. ~/extensions/scriptvault/). Don't delete the folder afterwards — the browser loads the extension from this path on every startup.
  2. Open brave://extensions (or chrome://extensions, edge://extensions).
  3. Toggle Developer mode on (top-right).
  4. Click Load unpacked and select the extracted folder.

The CRX is still attached for users who have a flow that supports it (enterprise policy with ExtensionInstallSources whitelist, Chrome --load-extension command-line flag, or older Chromium forks like Vivaldi). It is signed with a self-distribution key (extension ID dogogpmmlddegcodbcbeccebdlegphph) — distinct from the Chrome Web Store listing.

Changes

  • Fixed: Two inline <script> blocks violated the extension_pages CSP (script-src 'self'). pages/dashboard.html had a 75-line view-settings controller (zoom + density) and pages/devtools.html had a 9-line panel registration call — both blocked at load time, leaving the dashboard's zoom/density toolbar inert and the DevTools panel un-registered. Extracted to pages/dashboard-viewsettings.js and pages/devtools.js. The remaining inline script in pages/editor-sandbox.html is the Monaco bootstrap and is allowed by the sandbox CSP ('unsafe-inline').
  • Chore: Moved self-distribution signing keys (scriptvault.pem, scriptvault-selfhost.pem) out of the repo root to ~/.scriptvault-keys/. Chrome's "Load unpacked" warned This extension includes the key file ... You probably don't want to do that because anything inside the extension dir gets bundled at build/install time. pack-crx.mjs already takes the key path as a positional CLI arg, so callers just pass ~/.scriptvault-keys/scriptvault-selfhost.pem now. Both keys remain gitignored.

Includes the v2.3.2 service-worker syntax fix and the v2.3.3 self-healing "Allow User Scripts" warning, both of which shipped without GitHub releases.

Assets 4
Loading