Making sure a Firefox add-on is safe

A big problem with installing a Firefox add-on or Chrome extension is that you have no idea what it does.

You only know what it says it does, and you know what permissions you grant it, but the permissions are broad. A lot of add-ons require “Access data for all websites” in order to work. The add-on could be doing anything with that data.

Sometimes, the add-on page will link to its source on a web site. That’s all well and good, but how do you know that that’s the same source that’s running in the installed add-on?

This is the process I went through to verify that Don’t Fuck with Paste does what it says and no more.

(Don’t Fuck with Paste is an add-on that prevents web sites from inserting garbage into your clipboard when you copy something and stops web sites from preventing you from pasting into fields.)

  1. Go to the cited page with the source and make sure it’s OK. Don’t Fuck with Paste is refreshingly straightforward. It adds an event handler for copy, cut, and paste that cancels all subsequent event handlers for those events. (Based on the fact that this add-on works, I’m guessing that add-ons get the chance to add event handlers before the page does.)
  2. Install the add-on. Make sure that you turn “Allow automatic updates off”. If you don’t, then anything that you’ve verified as safe can be replaced with something completely at any time.
  3. Go to about:support in Firefox.
  4. Note the Profile Directory, and open that directory in the terminal or your file navigator.
  5. Go to the extensions subdirectory of the Profile Directory.
  6. Unzip the xpi file corresponding to your add-on. In my case, I ran: unzip -d tmp
  7. Look at the unzipped files. It should match the source. If it doesn’t match the source, it’s probably not safe because the author isn’t being honest (maybe accidentally) about what’s being shipped. You can examine it more closely to see if the differences are harmless if you want, though.

In the case of Don’t Fuck with Paste, the actual add-on code matched the published source. Now, I feel that my clipboard is protected and thing protecting my clipboard isn’t a danger even worse than the threats to my clipboard. At least as of 2020-09-08 (September 9, 2020).