|
|
|
|
|
|
by asgrdz
1973 days ago
|
|
|
I disable automatic updates for all extensions, as well as personally reviewing the source of every extension before installation. The review doesn't take much time. What I look for: 1. The manifest for what network endpoints the extension is allowed to call.
2. Any URL in the code that is external to the extension.
3. Any remote network function (fetch/XHR/links) and traceback to the call sites.
4. Whether there is any obfuscated code or not.
If anything found in those spots seems fishy / unclear, I don't install the extension.Takes a few minutes, but catches most of the threat vectors. Skimming the code also gives me a sense of what sort of developer is behind the extension. Some code clearly shows a developer cares about privacy and / or security, which unconsciously adds karma for that dev in my book. Like others above, I don't use many extensions, but those I use I have to trust. |
|
|