I’m using Helmet to help block cross-site scripting hacks on my site.
I noticed Helmet was blocking url https://r.lr-in-prod.com/
, If I load that page and check source, I see:
<script type="module" src="chrome-extension://jdkknkkbebbapilgoeccciglkfbmbnfm/hook.js"></script>
If I go to chrome-extension://jdkknkkbebbapilgoeccciglkfbmbnfm/hook.js
, I see minified JS, including strings such as:
- ROOT_QUERY
- __typename
- Query
- Mutation
- Subscription
- cache-only
- network-only
- cache-and-network
- cache-first
- cache-and-network
- network-only
- cache-first
- use strict
- SCHEMA_DEFINITION
So, I’m thinking this is my excellent Apollo chrome extension, that is so useful. And I wouldn’t mind using it to access my Apollo data on my client in production.
Is it considered okay from a security point of view, to permit the client to use the Apollo plugin on a production site?