Comments on post “CRX Extractor”
Israel Vicars
@israelvicars · Co-founder, Unicorn.xxx
I've never created a Chrome plugin, so I'm excited to give this a try. I'm curious how plugin creators who purposely did not make their source publicly available would feel about this.
3sharetweet・
Vinay Hiremath
@vhmth · Founder & Head of Engineering @ Loom
@israelvicars once you ship your code to a client's device, you should never assume that it is safe. I certainly don't for the Opentest extension which is why we (as well as most extension authors) minify and uglify the javascript they ship. If you are on Mac, you can also access the code of any extension installed on your computer in this folder:
~/Library/Application\ Support/Google/Chrome/Default/Extensions
~ is your home directory.
10sharetweet・
H
Vladimir Ignatev
@v_ignatyev · I believe in tech and people.
@vhmth @israelvicars May I add this hack recipe onto the CRX Extractor page?
1sharetweet・
Vinay Hiremath
@vhmth · Founder & Head of Engineering @ Loom
@v_ignatyev @israelvicars yeah go for it. It's public info. :-)
2sharetweet・
H
Vladimir Ignatev
@v_ignatyev · I believe in tech and people.
@vhmth @israelvicars btw about "uglification" there are few lines on About page. It seems to be a problem, but I've tried few very popular chrome extensions using own tool and fortunately they were containing even source code comments )
1sharetweet・
Vinay Hiremath
@vhmth · Founder & Head of Engineering @ Loom
@v_ignatyev @israelvicars hmm I wouldn't consider it a problem. It's honestly quite fair.
1. You want to make sure the footprint of your extension (size of the app) is as small as possible.
2. Although you want to ensure that people can check the source code for security reasons (and because this code literally runs on their device), some level of defensibility is warranted by the author.
1sharetweet・
H
Vladimir Ignatev
@v_ignatyev · I believe in tech and people.
@vhmth @israelvicars Also I think about minor UI improvement: to change Download .CRX and Get source panes in place. Because the downloading of .crx is first and should be left. What do you think?
1sharetweet・
Vinay Hiremath
@vhmth · Founder & Head of Engineering @ Loom
@v_ignatyev @israelvicars why not just make it so your server downloads the CRX file? You have to accept an upload anyhow.
upvotesharetweet・
Spencer Dailey
@spencenow · maker; editor at Techmeme
@israelvicars well, if you're Facebook, you declare 'unsafe-eval' for the extension's content_security_policy and load/eval the Javascript after the fact (as they did with their Save extension: https://chrome.google.com/websto... ).
Most simply uglify/compress the code (par for the course).
I personally think that any extension that asks for your browser history (or more) should have fully-readable source.
1sharetweet・
H
Vladimir Ignatev
@v_ignatyev · I believe in tech and people.
@vhmth at first, it was easy to make) and server seems to be useless for such simple tool. Why do I need this useless "state" - downloaded CRX? Probably in future it will become necessary, when static analyzer will be implemented.
upvotesharetweet・
Vinay Hiremath
@vhmth · Founder & Head of Engineering @ Loom
@v_ignatyev you could always try to do the processing in the browser. Make an XHR request in the browser/in a web worker, and do the parsing there. Make sure you implement a loading bar is all. :-P
1sharetweet・