Hacker News new | past | comments | ask | show | jobs | submit login

But there's no proof that the published source code is the source code of the extension! You still have to just trust them



There's an extension that allows you to view the source of any Chrome extension direct from Chrome's repository.

"Chrome Extension Source Viewer" I use it to audit every single app that I give permission to read each site.


You can always load your own from source.


Sure - but do you? Does anyone?

EDIT: a better solution would be if the store itself allowed you to inspect the source that went into building the plugin. Then you would only need to trust the store itself, which you already do (when you trust the browser).


It's quite common among many groups of people to download and install locally as it also protects you from unwanted automatic updates. For instance, those using MetaMask or Scatter to interact with a blockchain are often advised to install the extension offline.


I have yet to meet a person who did it though. Though I'll admit that the argument against automatic updates is a good one..


> the store itself allowed you to inspect the source that went into building the plugin

Or at least build it from the source code, like F-Droid.


You don't need to install from the store.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: