this post was submitted on 02 Sep 2023
50 points (84.7% liked)

Firefox

17902 readers
91 users here now

A place to discuss the news and latest developments on the open-source browser Firefox

founded 4 years ago
MODERATORS
top 5 comments
sorted by: hot top controversial new old
[–] [email protected] 11 points 1 year ago (3 children)

Is it possible to decompile or analyze an extension to see if new code has been added?

I only have 4 extensions, all of them are recommended by Firefox, and come with a tag that says "Firefox only recommends extensions that meet our standards for security and performance". Now I'm wondering what those standards are; and whether plugins that have already 'met' them, are re-assessed when updated or altered.

[–] vitonsky 11 points 1 year ago

You can see the code of extensions, but it may be minimized, so it hard to known what the code do.

Extensions with label "Recommended" are pass the manual review of Firefox moderators, so you can trust them more than addons with no this label. However you still should keep in mind that any extension developer may be victim of complex scam attack.

The most probable reason usually is a not enough funding the developers

  • Developer spend time on maintaining the project but users does not donate them
  • Scammers offer to developer some integrations that not looks too suspicious and allow them to earn some money
  • Developer agree offer and after some time scammers enables malware to hack extension users

To minimize the possibility of hijacking addons by scammers, we have to:

  • conduct background check before install extension
  • ensure the extension have github with open source code and developer are real person
  • ensure development are active and developer have high engineering skill, check them respond on feedback and issues
  • donate the developer if you like the product, to motivate them keep distance of scammers offers
[–] [email protected] 8 points 1 year ago (1 children)

You can open/extract extensions (at least Firefox ones) as zip files, they'll contain the code and assets used by the extension.

[–] [email protected] 3 points 1 year ago

They average person won't know what they're looking at.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

From what I've experienced with my extension, every update has to go through a review process. Firefox is pretty fast, chrome takes a few days and edge takes a while (opera hasn't finished reviewing my first version, so I stopped trying with them).

The only time I failed a review was early on when my build script choked and I submitted an empty file to Chrome (whoops). So I can't really tell how good those reviews are, but I'm not planning on testing them. I just know that they exist