Hacker News new | past | comments | ask | show | jobs | submit login

> you can clone it on your local machine, read through our code to verify that it is not malicious, and then install it

I like that the authors share my concern about installing an extension that would by design record every page I visit. However the repository contains several minified Javascript files [1]. This somewhat contradicts their invitation to read through the code.

[1] https://github.com/lengstrom/falcon/tree/master/extension/js...




Switch to Firefox and only use fully reviewed/approved addons if you're serious about this. I just put a ported chrome extension through the full Firefox add on review process (thanks to web extensions they're easy to port now), and those guys rejected my extension twice because they couldn't replicate my minified code from my dependencies to the exact byte.

Chrome web store doesn't care what I upload and push down to my users. I've had numerous requests from spammers looking to buy my extension based on the number of users and their geography. I guess once they buy an extension they push malware down to the users, so even if you can trust the extension developer or source now, you can't keep that trust up indefinitely.


I agree that the thirdparty javascript files also should be supplied in full, and minified during the build process.

However, I've found the originals so you can still check if they contain 'contaminated' code.

chrono: https://www.npmjs.com/package/chrono-node - a natural language date parser for Node and Browserify

notie: https://www.npmjs.com/package/notie - a clean and simple notification, input, and selection suite for javascript, with no dependencies

readability: https://github.com/arrix/node-readability - Node implementation of Arc90's Readability (however seems this code has been slightly modified)

semantic: https://github.com/Semantic-Org/Semantic-UI - Semantic UI JS support

stopwords: list of stopwords for the english language


It serves no purpose, reviewing third-party code that you don't even know is the same that is distributed. But anyways, since Chrome has autoupdate for addons, it doesn't matter if you're reviewing the addons you install or not, because it can change at any point.


If you clone it on your local machine you also won't receive any automatic updates.


Don't chrome extensions automatically update themselves? Assuming no permissions are changed I think they do. It would be nice if there was some sort of version pinning.

After some investigating, this extension doesn't have an update_url in the manifest.json, so I think that means it won't/can't auto-update.


Every extension in the Web Store auto updates, doesn't need update_url


Why do you think it would be practical to identify malicious code even if it wasn't minified? See: http://www.underhanded-c.org/




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: