Okay to Permit Clients to Run Apollo Extension in Production?

I’m using Helmet to help block cross-site scripting hacks on my site.

I noticed Helmet was blocking url https://r.lr-in-prod.com/, If I load that page and check source, I see:

<script type="module" src="chrome-extension://jdkknkkbebbapilgoeccciglkfbmbnfm/hook.js"></script>

If I go to chrome-extension://jdkknkkbebbapilgoeccciglkfbmbnfm/hook.js, I see minified JS, including strings such as:

  • __typename
  • Query
  • Mutation
  • Subscription
  • cache-only
  • network-only
  • cache-and-network
  • cache-first
  • cache-and-network
  • network-only
  • cache-first
  • use strict

So, I’m thinking this is my excellent Apollo chrome extension, that is so useful. And I wouldn’t mind using it to access my Apollo data on my client in production.

Is it considered okay from a security point of view, to permit the client to use the Apollo plugin on a production site?