Permission Inspector for Firefox
Permission Inspector is a new extension for the Firefox web browser that provides details on permissions that the installed Firefox extension requested.
Firefox displays a permissions prompt when users install extensions from the Mozilla Add-ons Store or from elsewhere; the listed permissions are requested explicitly by extensions to extend the available functionality (all extensions share access to certain functions that are permitted by default).
While users may verify permissions during the installation dialog, requested permissions are not listed on Firefox's about:addons page. The page is the management interface for extensions, themes and other components.
I'm not aware of an option to list extension permissions in Firefox. Firefox users can visit the extension's page on Mozilla's Firefox Add-ons Store as they are listed in the sidebar there.
Permission Inspector is a Firefox extension that changes that; it displays all extra permissions that installed extensions require to function. Even better: it lists some permissions that are not listed on Mozilla AMO or during installation of the extension.
Just click on the Permission Inspector button in the Firefox interface to open the local management page.
The page is divided into the Extensions and Permissions tab. Extensions list the description of the extension and its requested permissions. Firefox add-ons that are installed but disabled show only the description but no permission information.
System add-ons, extensions installed by Mozilla automatically, are not listed on the page.
The Permissions page lists each requested permission and the extensions that requested them. It offers a different view and gives you options to check specific permissions that you consider critical or problematic.
It lists the permission name, e.g. Notifications, and then the extensions that have that permission.
Closing Words and verdict
Permission Inspector is a useful extension; it is actually something that should be integrated in Firefox to provide users with the information that it provides.
It displays all permissions of all extensions installed in the browser. There is room for improvement though. I'd like to see links to about:addons, an extension's management page in Firefox, and an extension's page on Mozilla AMO.
A rating system of sorts might also be useful to look into; not all permissions are equally problematic for users, and Permission Inspector could use a rating system and provide filters or sort options to list the most problematic extensions at the top of the listing.
Permission Inspector is not the first extension of its kind. We reviewed Project Insight in 2018 which offers similar functionality.
Google Chrome displays requested permissions natively for each installed extension.
Now You: How do you handle extension permissions?
Firefox is becoming as bloated as Windows 10
You need more inspectors than the secret police !!
Escape from Mozilla, grab a FOSS Browser NOW !!!
Aren’t the same things listed before you install an extension? I like Martin’s suggestions for additional info.
If an extension’s permissions are excessive for what it does (access to everything for a static theme, for example), I won’t touch it. FF’s, for the most part are OK; chrome’s are more of a treasure hunt to find good ones.
Very interesting, thank you !
@Censored:
Please shut-up. Quit talking for the “people”.
That’s quite interesting, but overall doesn’t say much.
Since the permissions are basically local, and they are necessary for an extension to operate, a better way would be to filter for reputation or code quality.
This is what Mozilla will basically do, a manually curated extension store is on their roadmap for 2019.
The other way is how Chrome handles it, creating different automated layers of control, which requires lots of time and energy, and only makes sense for big ecosystems with hundreds of millions of users.
Am I blind or does this extension not list itself in the extensions tab?
Blind? Short sighted rather. In my ff at least it puts its clickable logo on the topbar.
Logo is in top bar also for me. What I meant was, the tab that gets opened when clicked, “Details of all the permissions used by each installed extension”, this extension is not listed for me…
So it turned out I was not reading correctly, ’cause you’re right.
Regarding Firefox extensions I don’t focus on the permissions they require but mainly on the developer,
– is he new, has he other extensions available on AMO?
– his homepage, if other than GitHub or GitLab then was does Netcraft have to say about it?
– lack of homepage is for me a very bad sign, but not determinant.
I’ve already refused extensions because their developer’s homepage had a very bad ‘Netcraft Risk Rating’ (https://toolbar.netcraft.com/site_report?url=), I’ve even discovered one with a 9/10 risk rating…
I’m as well reluctant to even investigate extensions which have no description and/or a developer obviously a visitor for the time of proposing his extension (like ‘firefoxuserxxx’).
All this taken into consideration I may then install and test an extension; depending on its ambition I’ll test it more or less thoroughly. Given the fact moreover I have 40+ extensions installed I’ll be cautious about any functions overlaps, redundancies and compatibility.
As I understand it checking permissions doesn’t necessarily link to an extension’s probity but may as well simply concern what the user would consider an excessive permissions’ price given the extension’s requirements, and I happen to follow this approach when I hesitate between two extensions doing exactly the same job : in that case i tend to choose the extension requiring less permissions, but again up to now i haven’t focused on an extension’s permissions in the sens of a veto.
You can’t blindly trust and extension because the developer is famous. We have seen cases where famous extensions were ‘hacked'(see CopyFish/Mega) and some put backdoor(see Stylish). Some good legacy extensions didn’t even have homepage, too bad they were no longer developed.
About the firefoxuserxxx, I think it’s Mozilla’s bug. Didn’t know why Mozilla changed extension’s dev name to that(happens to me too)
I think both Tom Hawack & anonymous developer gave very good points. In my case, personally I don’t rely on opinions of any other third-parties except for some from experienced users I can trust. Basically I follow these three rules to make sure my security with hundreds of extensions (or you shouldn’t install so many because of large attack surface and risk):
1. All the closed sources out.
2. View source code of a new one before I add it for daily use via “Extension source viewer”, by checking all the hosts it may connect with, or whether there is code obfuscation, which is easy and a non-geek user can also do it.
3. The most important I think, disable auto-installing new version before I see what the new things are in its updating.
@Anonymous, on your second point I have no idea if (some of) those Firefoxuserxxx developers appear as such because of a Mozilla AOM bug. That would be news for me. Worth being investigated of course and, as far as i’m concerned, would appear as a non-criteria if related to a bug.
Concerning your first point, how to disagree? Not only is a developer’s fame a non-criteria in the sens of absolute but neither is an extension’s oldness nor is the fact a developer’s extension library filled with many healthy ones. I’d say confidence is impacted by these arguments but shouldn’t be systematic. The same as software, applications : I catch myself being tempted to not send to Virustotal updates of applications I’ve been using for ages and then recall the scheme of infiltrated spies who gained confidence on the basis of time and trustworthiness because of performing excellently until the day they wake up, are waked up or become “turned” (“retourné” in French, no idea of the correct translation, we never operated in the States, lol!).
Caution is good, suspicion is bad.
@Censored, get lost
@Tom, maybe is too much to ask and you don’t have the time or the patience, but what extensions are you using? Thank you.
@Marco, sure : FF_extensions_2019-01-17.htm at https://mon-partage.fr/f/2yxHEeRS/
The site is labeled in French, just click on ‘Télécharger’ (=’Download’).
The file is crafted by Nirsoft’s SysExporter application on the basis of my extensions’ list summarized by CCleaner. The rendering provides more info and is easier to read than a plain txt format, especially with 42 extensions.
I have to try some of those! Thank you, Tom :)
@Tom Hawack: the UK is part of the 5 Eyes, Netcraft is based in the UK, and via the toolbar it knows every move you make on the net, which is very useful information. Still trust it?
“UK is part of the 5 Eyes”
The same 5 eyes that ‘have been looping Germany and Japan in on information about China and Russia’ (and who knows what else).
What’s your point?
@Klaas Vaak, maybe are you referring to the ‘Netcraft Anti-Phishing Extension’ which indeed follows a user on every visted page given the very nature of the extension. I don’t use that extension but only a bookmarklet to send a page to Netcraft’s analysis :
javascript:void(open(‘https://toolbar.netcraft.com/site_report?url=’+location.hostname))
It’s as simple as that and i don’t get followed but neither am I proactively protected considering the extension has the potential to block pages if the user has chosen that option.
My approach confirms your opinion and I’d even say that I think twice before adding an extension which follows the user, even if the extension is supposedly clean : I dislike bay-sitters (for myself) and I may reasonably fear that a baby-sitter occasionally hides less sweet aims :=)
@Tom Hawack: you’re right, inadvertently I was referring to the anti-phising extension, sorry.
Thanks for the bookmarklet :-)
Netcraft reports innocuous sites such as Github pages (https://user.github.io/project/) with a risk rating as high as 7/10, which is just ridiculous. Besides, homepages don’t necessarily have anything to do with the quality of an extension. Most individuals don’t get paid for developing addons, and if you can’t afford to pay for it, you either don’t have a homepage or you use free hosting solutions (such as Github pages). In fact, I’d typically find extensions authored by brands (like companies or such) to be far less trustworthy than extensions made by random individuals because the former are rarely open source and they more often than not try to monetize them in one way or another.
Source: I’m an addon developer.
@~Anonymous, I don’t rely exclusively on Netcraft but I admit a certain confidence in the company’s security analysis skills.
An extension’s developer not having a homepage is less important than that homepage being badly noted by Netcraft. You disagree, fine.
“I’d typically find extensions authored by brands (like companies or such) to be far less trustworthy than extensions made by random individuals”
Last but not least, being hosted on a serious site is not a guarantee of an extension’s honesty, so to say. I do make the difference between the host and the extension.
I agree. Besides, extensions’ homepages poorly noted by Netcraft have always included only, in my experience, companies and not individuals.
@Censored, who “people”, Did you lead a survey? Speak for yourself, I won’t bite you, no need to include unknown “people” to legitimate your opinion!
“people”, “we”, “they” … and it happens often. Just say, write “I” :=)
Why not proceed as ~Anonymous, next comment, and develop, argument!
@Tom, I posted my opinion on the relevance of homepages and Netcraft, but I forgot to say that your approach regarding permissions is very reasonable, and as an addon developer I wish more people followed similar guidelines. It seems to me most people either disregard permissions entirely or get super paranoid when they read something as simple as “access your data for all websites”, and both extremes are bad IMHO. Permissions should be just one more thing to take into consideration when judging whether to trust an extension or not, not the only (or the most determining) factor. There are more important factors like whether it is open source or not and whether it has a privacy policy or not (if it doesn’t have one then it is not meant to collect any data as per AMO’s ToS).
@~Anonymous as a developer yourself you certainly have a pertinent background to illustrate your opinions regarding extensions’ merit.
I agree with you regarding the fact an extension whose developer has no homepage is not, shouldn’t be a reason of suspicion and I reconsider my related comment above. As for Netcraft you may be right, I have confidence in that company for several reasons but should I be wrong, or excessive, that i’d be ready to avoid stubbornness ::=)
A word for all developers : I know you like it, especially when free of a company’s directives, but that’s no reason to diminish your commitment to users’ better digital life. Of course I have in mind clean code, need to say :=)
People are tired of your Netcraft rants.
@Censored:
You count as all “people”? Because unless you have polling results or something, you can only speak for yourself.
@Censored: “people”? Who are you speaking for? Did “people” ask you to be their spokesperson? I certainly did not, so I would appreciate it if you stopped speaking on my behalf. Thank you.