The source is part of the package, at worst minified, obfuscated, pulling code from external sources. You can inspect it yourself by unpacking the extension installation package and browsing the JavaScript.
So what you read every line of JavaScript? Or you have some tool for that? I personally can’t imagine catching every potential issue, especially something sneaky, from source.
No, because they don't enforce their rules against obfuscation.
Even if there was it wouldn't help you - extensions regularly get sold to scammers who can push whatever update they want. I documented an extension with a few hundred thousand install base, that got sold and turned into malware. Overnight went from tens of lines of code un obfuscated to 10k+ lines obfuscated. Then they flooded the extensions review pages with fake reviews to burry complaints. I got a ticket open thru a contact which to Google's credit they investigated but they decided it wasn't violating enough policies to take any action.
How are people validating extensions these days? Obviously you can run none but if you want to use one is there an easy way to verify it?
The source is part of the package, at worst minified, obfuscated, pulling code from external sources. You can inspect it yourself by unpacking the extension installation package and browsing the JavaScript.
So what you read every line of JavaScript? Or you have some tool for that? I personally can’t imagine catching every potential issue, especially something sneaky, from source.
> is there an easy way to verify it?
No, because they don't enforce their rules against obfuscation.
Even if there was it wouldn't help you - extensions regularly get sold to scammers who can push whatever update they want. I documented an extension with a few hundred thousand install base, that got sold and turned into malware. Overnight went from tens of lines of code un obfuscated to 10k+ lines obfuscated. Then they flooded the extensions review pages with fake reviews to burry complaints. I got a ticket open thru a contact which to Google's credit they investigated but they decided it wasn't violating enough policies to take any action.
Behind! The online safety act makes netziens safer again!
This needs to be reported to Chromestore, en masse.
just put it in the pile with the rest of the google app store malware.
And Google will do nothing about it.