Re: How is it possible for add-ons to be proprietary
Posted: Sun Apr 01, 2018 8:27 pm
Pretty much, security is a proactive endeavor not a passive one. You can either trust that they are legit or do your due diligence, unfortunately not much in between. Theoretically WebExtensions alleviate this as they are for all intents and purposes limited to being pure scripted which should imply that you can't do that anymore, but you can theoretically still import external scripts, so there is that. There are I am sure script analyzers you can dump the code into and get a breakdown of what's in there and to expedite analysis a bit but again that's a matter of dealer's choice (meaning what works for you to feel comfortable with something) no one can really tell you how to approach your own piece of mind.rehash wrote:So in conclusion the only way to be sure that by using an add-on you're running only free open software is to check:
This is a security and privacy nightmare. Is there any control over add-ons that are offered on addons.mozilla.org and over what they really do? Who checks this and how - for each new version? How can a user know which add-ons are trustworthy?
- its license
- that all files in its XPI are source files and not binary files
- every last line of its source code, because in one line it can fetch proprietary unknown code and execute it