Hacker News new | ask | show | jobs
by euid 2216 days ago
You can audit the code of a Firefox extension by unzipping the .xpi file in the extensions directory within your browser profile directory.

Not ideal, but it's better than nothing.
2 comments
jyr0s 2215 days ago
Are you proposing to do that for every update that comes in, for every extension? Far from ideal.
link
euid 2215 days ago
Oh, yes, it's far from ideal.

I'm reminded of the ArchLinux AUR, which deals with a problem kind of like this. AUR managers show a diff of what changed in a package on each update.

Perhaps one could make extension auditing easier by scripting together a Git repository from extracted xpis, and presenting updates as patches to that repository. This is probably only viable for high-security environments - it's not with it in the common case.

Of course, the real fix would come from Firefox itself: it should provide signed extensions and a way to tie them back to Git repositories with source code, which would eliminate the need for the above automation, and allow people to crowdsource extension auditing.

link
Hitton 2215 days ago
Since the rise of typescript and other transpilers to javascript, this isn't very feasible.
link