| ▲ | nickjj 6 hours ago | |
> How do you check that the open sourced code is the same one that you are installing from the extension repository and actually running? Extensions are local files on disk. After installing it, you can audit it locally. I don't know about all operating systems but on Linux they are stored as .xpi files which are zip files. You can unzip it. On my machine they are installed to $HOME/.mozilla/firefox/52xz2p7e.default-release/extensions but I think that string in the middle could be different for everyone. Diffing it vs what's released in its open source repo would be a quick way to see if anything has been adjusted. | ||
| ▲ | AJ007 4 hours ago | parent [-] | |
Extensions are trivial unless they have to run external software or services. Download the extension, extract the source, audit it with a good thinking model and either strip out all third party URLs/addresses or have the agent clone the functionality you want. | ||