Permission Inspector for Firefox

Martin Brinkmann
Jan 17, 2019
Firefox
|
28

Permission Inspector is a new extension for the Firefox web browser that provides details on permissions that the installed Firefox extension requested.

Firefox displays a permissions prompt when users install extensions from the Mozilla Add-ons Store or from elsewhere; the listed permissions are requested explicitly by extensions to extend the available functionality (all extensions share access to certain functions that are permitted by default).

While users may verify permissions during the installation dialog, requested permissions are not listed on Firefox's about:addons page. The page is the management interface for extensions, themes and other components.

I'm not aware of an option to list extension permissions in Firefox. Firefox users can visit the extension's page on Mozilla's Firefox Add-ons Store as they are listed in the sidebar there.

Permission Inspector is a Firefox extension that changes that; it displays all extra permissions that installed extensions require to function. Even better: it lists some permissions that are not listed on Mozilla AMO or during installation of the extension.

Just click on the Permission Inspector button in the Firefox interface to open the local management page.

firefox permission inspector

The page is divided into the Extensions and Permissions tab. Extensions list the description of the extension and its requested permissions. Firefox add-ons that are installed but disabled show only the description but no permission information.

System add-ons, extensions installed by Mozilla automatically, are not listed on the page.

firefox extension permissions

The Permissions page lists each requested permission and the extensions that requested them. It offers a different view and gives you options to check specific permissions that you consider critical or problematic.

It lists the permission name, e.g. Notifications, and then the extensions that have that permission.

Closing Words and verdict

Permission Inspector is a useful extension; it is actually something that should be integrated in Firefox to provide users with the information that it provides.

It displays all permissions of all extensions installed in the browser. There is room for improvement though. I'd like to see links to about:addons, an extension's management page in Firefox, and an extension's page on Mozilla AMO.

A rating system of sorts might also be useful to look into; not all permissions are equally problematic for users, and Permission Inspector could use a rating system and provide filters or sort options to list the most problematic extensions at the top of the listing.

Permission Inspector is not the first extension of its kind. We reviewed Project Insight in 2018 which offers similar functionality.

Google Chrome displays requested permissions natively for each installed extension.

Now You: How do you handle extension permissions?

Summary
software image
Author Rating
1star1star1star1stargray
5 based on 1 votes
Software Name
Permission Inspector
Software Category
Browser
Landing Page
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. Box Checker said on January 18, 2019 at 9:34 pm
    Reply

    Firefox is becoming as bloated as Windows 10

    You need more inspectors than the secret police !!

    Escape from Mozilla, grab a FOSS Browser NOW !!!

  2. ULBoom said on January 18, 2019 at 2:17 am
    Reply

    Aren’t the same things listed before you install an extension? I like Martin’s suggestions for additional info.

    If an extension’s permissions are excessive for what it does (access to everything for a static theme, for example), I won’t touch it. FF’s, for the most part are OK; chrome’s are more of a treasure hunt to find good ones.

  3. Franck said on January 18, 2019 at 1:36 am
    Reply

    Very interesting, thank you !

  4. MAG said on January 18, 2019 at 12:16 am
    Reply

    @Censored:

    Please shut-up. Quit talking for the “people”.

  5. user17843 said on January 17, 2019 at 6:34 pm
    Reply

    That’s quite interesting, but overall doesn’t say much.

    Since the permissions are basically local, and they are necessary for an extension to operate, a better way would be to filter for reputation or code quality.

    This is what Mozilla will basically do, a manually curated extension store is on their roadmap for 2019.

    The other way is how Chrome handles it, creating different automated layers of control, which requires lots of time and energy, and only makes sense for big ecosystems with hundreds of millions of users.

  6. Me said on January 17, 2019 at 6:32 pm
    Reply

    Am I blind or does this extension not list itself in the extensions tab?

    1. www said on January 17, 2019 at 7:02 pm
      Reply

      Blind? Short sighted rather. In my ff at least it puts its clickable logo on the topbar.

      1. Me said on January 17, 2019 at 7:27 pm
        Reply

        Logo is in top bar also for me. What I meant was, the tab that gets opened when clicked, “Details of all the permissions used by each installed extension”, this extension is not listed for me…

      2. www said on January 18, 2019 at 1:14 am
        Reply

        So it turned out I was not reading correctly, ’cause you’re right.

  7. Tom Hawack said on January 17, 2019 at 5:10 pm
    Reply

    Regarding Firefox extensions I don’t focus on the permissions they require but mainly on the developer,

    – is he new, has he other extensions available on AMO?
    – his homepage, if other than GitHub or GitLab then was does Netcraft have to say about it?
    – lack of homepage is for me a very bad sign, but not determinant.

    I’ve already refused extensions because their developer’s homepage had a very bad ‘Netcraft Risk Rating’ (https://toolbar.netcraft.com/site_report?url=), I’ve even discovered one with a 9/10 risk rating…
    I’m as well reluctant to even investigate extensions which have no description and/or a developer obviously a visitor for the time of proposing his extension (like ‘firefoxuserxxx’).

    All this taken into consideration I may then install and test an extension; depending on its ambition I’ll test it more or less thoroughly. Given the fact moreover I have 40+ extensions installed I’ll be cautious about any functions overlaps, redundancies and compatibility.

    As I understand it checking permissions doesn’t necessarily link to an extension’s probity but may as well simply concern what the user would consider an excessive permissions’ price given the extension’s requirements, and I happen to follow this approach when I hesitate between two extensions doing exactly the same job : in that case i tend to choose the extension requiring less permissions, but again up to now i haven’t focused on an extension’s permissions in the sens of a veto.

    1. Anonymous said on January 18, 2019 at 3:53 am
      Reply

      You can’t blindly trust and extension because the developer is famous. We have seen cases where famous extensions were ‘hacked'(see CopyFish/Mega) and some put backdoor(see Stylish). Some good legacy extensions didn’t even have homepage, too bad they were no longer developed.

      About the firefoxuserxxx, I think it’s Mozilla’s bug. Didn’t know why Mozilla changed extension’s dev name to that(happens to me too)

      1. gwacks said on January 18, 2019 at 5:46 pm
        Reply

        I think both Tom Hawack & anonymous developer gave very good points. In my case, personally I don’t rely on opinions of any other third-parties except for some from experienced users I can trust. Basically I follow these three rules to make sure my security with hundreds of extensions (or you shouldn’t install so many because of large attack surface and risk):

        1. All the closed sources out.
        2. View source code of a new one before I add it for daily use via “Extension source viewer”, by checking all the hosts it may connect with, or whether there is code obfuscation, which is easy and a non-geek user can also do it.
        3. The most important I think, disable auto-installing new version before I see what the new things are in its updating.

      2. Tom Hawack said on January 18, 2019 at 3:16 pm
        Reply

        @Anonymous, on your second point I have no idea if (some of) those Firefoxuserxxx developers appear as such because of a Mozilla AOM bug. That would be news for me. Worth being investigated of course and, as far as i’m concerned, would appear as a non-criteria if related to a bug.

        Concerning your first point, how to disagree? Not only is a developer’s fame a non-criteria in the sens of absolute but neither is an extension’s oldness nor is the fact a developer’s extension library filled with many healthy ones. I’d say confidence is impacted by these arguments but shouldn’t be systematic. The same as software, applications : I catch myself being tempted to not send to Virustotal updates of applications I’ve been using for ages and then recall the scheme of infiltrated spies who gained confidence on the basis of time and trustworthiness because of performing excellently until the day they wake up, are waked up or become “turned” (“retourné” in French, no idea of the correct translation, we never operated in the States, lol!).

        Caution is good, suspicion is bad.

    2. Marco said on January 17, 2019 at 8:15 pm
      Reply

      @Censored, get lost

      @Tom, maybe is too much to ask and you don’t have the time or the patience, but what extensions are you using? Thank you.

      1. Tom Hawack said on January 17, 2019 at 11:26 pm
        Reply

        @Marco, sure : FF_extensions_2019-01-17.htm at https://mon-partage.fr/f/2yxHEeRS/

        The site is labeled in French, just click on ‘Télécharger’ (=’Download’).

        The file is crafted by Nirsoft’s SysExporter application on the basis of my extensions’ list summarized by CCleaner. The rendering provides more info and is easier to read than a plain txt format, especially with 42 extensions.

      2. Marco said on January 18, 2019 at 11:56 am
        Reply

        I have to try some of those! Thank you, Tom :)

    3. Klaas Vaak said on January 17, 2019 at 7:30 pm
      Reply

      @Tom Hawack: the UK is part of the 5 Eyes, Netcraft is based in the UK, and via the toolbar it knows every move you make on the net, which is very useful information. Still trust it?

      1. Stan said on January 17, 2019 at 10:35 pm
        Reply

        “UK is part of the 5 Eyes”

        The same 5 eyes that ‘have been looping Germany and Japan in on information about China and Russia’ (and who knows what else).

        What’s your point?

      2. Tom Hawack said on January 17, 2019 at 8:11 pm
        Reply

        @Klaas Vaak, maybe are you referring to the ‘Netcraft Anti-Phishing Extension’ which indeed follows a user on every visted page given the very nature of the extension. I don’t use that extension but only a bookmarklet to send a page to Netcraft’s analysis :

        javascript:void(open(‘https://toolbar.netcraft.com/site_report?url=’+location.hostname))

        It’s as simple as that and i don’t get followed but neither am I proactively protected considering the extension has the potential to block pages if the user has chosen that option.

        My approach confirms your opinion and I’d even say that I think twice before adding an extension which follows the user, even if the extension is supposedly clean : I dislike bay-sitters (for myself) and I may reasonably fear that a baby-sitter occasionally hides less sweet aims :=)

      3. Klaas Vaak said on January 18, 2019 at 6:23 am
        Reply

        @Tom Hawack: you’re right, inadvertently I was referring to the anti-phising extension, sorry.
        Thanks for the bookmarklet :-)

    4. ~Anonymous~ said on January 17, 2019 at 6:00 pm
      Reply

      Netcraft reports innocuous sites such as Github pages (https://user.github.io/project/) with a risk rating as high as 7/10, which is just ridiculous. Besides, homepages don’t necessarily have anything to do with the quality of an extension. Most individuals don’t get paid for developing addons, and if you can’t afford to pay for it, you either don’t have a homepage or you use free hosting solutions (such as Github pages). In fact, I’d typically find extensions authored by brands (like companies or such) to be far less trustworthy than extensions made by random individuals because the former are rarely open source and they more often than not try to monetize them in one way or another.

      Source: I’m an addon developer.

      1. Tom Hawack said on January 17, 2019 at 6:59 pm
        Reply

        @~Anonymous, I don’t rely exclusively on Netcraft but I admit a certain confidence in the company’s security analysis skills.

        An extension’s developer not having a homepage is less important than that homepage being badly noted by Netcraft. You disagree, fine.

        “I’d typically find extensions authored by brands (like companies or such) to be far less trustworthy than extensions made by random individuals”

        Last but not least, being hosted on a serious site is not a guarantee of an extension’s honesty, so to say. I do make the difference between the host and the extension.

        I agree. Besides, extensions’ homepages poorly noted by Netcraft have always included only, in my experience, companies and not individuals.

      2. Tom Hawack said on January 17, 2019 at 6:52 pm
        Reply

        @Censored, who “people”, Did you lead a survey? Speak for yourself, I won’t bite you, no need to include unknown “people” to legitimate your opinion!

        “people”, “we”, “they” … and it happens often. Just say, write “I” :=)

        Why not proceed as ~Anonymous, next comment, and develop, argument!

      3. ~Anonymous~ said on January 17, 2019 at 7:23 pm
        Reply

        @Tom, I posted my opinion on the relevance of homepages and Netcraft, but I forgot to say that your approach regarding permissions is very reasonable, and as an addon developer I wish more people followed similar guidelines. It seems to me most people either disregard permissions entirely or get super paranoid when they read something as simple as “access your data for all websites”, and both extremes are bad IMHO. Permissions should be just one more thing to take into consideration when judging whether to trust an extension or not, not the only (or the most determining) factor. There are more important factors like whether it is open source or not and whether it has a privacy policy or not (if it doesn’t have one then it is not meant to collect any data as per AMO’s ToS).

      4. Tom Hawack said on January 17, 2019 at 8:19 pm
        Reply

        @~Anonymous as a developer yourself you certainly have a pertinent background to illustrate your opinions regarding extensions’ merit.

        I agree with you regarding the fact an extension whose developer has no homepage is not, shouldn’t be a reason of suspicion and I reconsider my related comment above. As for Netcraft you may be right, I have confidence in that company for several reasons but should I be wrong, or excessive, that i’d be ready to avoid stubbornness ::=)

        A word for all developers : I know you like it, especially when free of a company’s directives, but that’s no reason to diminish your commitment to users’ better digital life. Of course I have in mind clean code, need to say :=)

    5. Censored said on January 17, 2019 at 5:38 pm
      Reply

      People are tired of your Netcraft rants.

      1. John Fenderson said on January 17, 2019 at 7:42 pm
        Reply

        @Censored:

        You count as all “people”? Because unless you have polling results or something, you can only speak for yourself.

      2. Klaas Vaak said on January 17, 2019 at 7:14 pm
        Reply

        @Censored: “people”? Who are you speaking for? Did “people” ask you to be their spokesperson? I certainly did not, so I would appreciate it if you stopped speaking on my behalf. Thank you.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.