Hi HN<p>I needed a way to monitor network calls made by chrome extensions so I made a small extension.<p>You can install it by dropping the zip or crx into the extensions page. It'll be on the chrome store whenever/if it gets through the review.<p>Hopefully it's useful to others.<p><a href="https://github.com/dnakov/little-rat">https://github.com/dnakov/little-rat</a><p><a href="https://twitter.com/dnak0v" rel="nofollow noreferrer">https://twitter.com/dnak0v</a>
I wish this was a feature of Firefox (or Chrome, as if Google would ever), rather than a third-party extension, so that it had enough adoption to compel other browsers to care too. I'd like very much to authorize certain extensions to only make GET requests to specific static URLs without any ability to vary the headers, so that they can get data updates without there being any risk of leaking data. And for others, they don't need network access at all to do their job locally in my browser instance. But that would be circumventable (since anything that can modify page source can add data transmission), so I imagine they aren't doing it because of that. Too bad — better to <i>try</i> than just give up and cede it to a Chrome extension.
Given that this extension is not very easy to install, I suggest adding a screenshot showing some actual captured network events. The current screenshot hides the most interesting feature.
Neat. I'm surprised this is possible tbh.<p>Not being familiar with exactly what data these APIs (or similar?) provide: could extensions' abilities to access other extensions' requests imply any security concerns for e.g. password manager extensions? Or auth-token-using extensions?
Nifty - but please do this more carefully:<p><a href="https://github.com/dnakov/little-rat/blob/main/popup.js#L36">https://github.com/dnakov/little-rat/blob/main/popup.js#L36</a><p>I do not want to have to worry about whether another extension can inject xss into yours with a crafted request/id/name.
Downloaded the extension and tested that it's working. QQ: What does it mean when there is a "hit" (e.g., 1 appears), but when I click the extension to investigate all extensions show 0, and the original displayed number disappears?<p>Also, if I delete an extension, it still appears in the list of extensions in Little Rat. Any easy way to fix this?
Thanks for sharing, would you mind explaining how it works and if there are any general concerns you have with Chrome not sandboxing between extensions? ie, what else is shared between extensions and what risks do you feel are here.<p>Thanks
FYI: That CRX in Releases did not work for me - it did install correctly, it showed up in the toolbar but opened an empty popup (no extensions were listed)...<p>The upnacked zip worked just fine though!<p>Nice extension, thanks!<p>(Vivaldi 6.2.3096.3 on Linux)
ooh, love it. Would be great to have some installation information within the repo for people who aren't savvy at enabling dev mode in chrome extensions
If you can - do not install any extensions. I’ve had a couple like an ad blocker and something else leak my browser history to similarweb and neither extension or similarweb showed that they sell/collect my data.
How can I be assured that installing a random Chrome extension from a random person on the internet that has access to all my network data and can't get approved in the Chrome store is safe? :)