"XMLHttpRequest may not be used at this time"

Hey, I wrote an cost estimator for calculating the price for ChatGPT API calls.

// #popclip extension for ChatGPT
// name: ChatGPT Price Estimator
// language: javascript
// module: true
// entitlements: [dynamic]

function naiveRound(num, decimalPlaces = 0) {
  var p = Math.pow(10, decimalPlaces);
  return Math.round(num * p) / p;

const actions = (input) => {
  const word_count = input.text.split(" ").length
  const char_count = input.text.length
  const tokens_count_word_est = word_count / 0.75
  const tokens_count_char_est = char_count / 4.0
  const token_est = (tokens_count_word_est + tokens_count_char_est) / 2
  const price_est = naiveRound(token_est * 0.002 / 10, 2)
  const action = {
      title: `¢${price_est}`
  return action;
exports.actions = actions;

But it looks like it cannot co-exist with the ChatGPT extension. I had to delete (disabling is not enough) the cost estimator extension for the ChatGPT extension to work.

The corresponding error message is:

Result: error: Error: XMLHttpRequest may not be used at this time (axios.js.lzfse:211:17) <no output text>

Thoughts? @nick

(Edited because I hadn’t read the initial code properly!)
(Edit 2: DIsregard the below – It’s still true, but not relevant here. I will investigate further…)

An actions function that’s actually being run while generating the actions for the PopClip bar, it isn’t allowed to access the internet.

That’s a decision I made because this code runs for every text the user selects without explicit invocation of the action. Therefore it presents an opportunity for someone to make a nefarious text-sniffing extension to hover up all the text a user selects.

While designing this feature, I was quite worried about that potential, so I decided to disallow network access for dynamic extensions.

This is hardcoded into PopClip, even for signed extensions I’ve made, and there isn’t currently any way to disable that.

So the solution, in this case, is to make it an action you have to invoke explicitly. Not so convenient, but hopefully, you can appreciate the security vs functionality tradeoff here.

(In fact, this extension wouldn’t work anyway because it would need both the network and dynamic entitlements. If you tried to set both at once, you would get an explicit error message saying nope, not allowed.)

I could definitely improve the documentation and error message to make this clearer.

Just pinging a second reply because I edited the first.

Replying a third time because I still didn’t read the code properly! My apologies. I see that it isn’t actually using the network; indeed you may have discovered a bug. I shall look into it.

1 Like