Idraw Kit
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
A free design tool based on iDraw.js, similar to Figma and Sketch, focusing on the design of web pages and pictures. Offline first, the data is stored in the browser's local cache, and it supports exporting offline files, pictures or JSON data.
Tags
Privacy Practices
Security Analysis — Idraw Kit
Code Patterns Detected
External Connections
Package Contents 21 files · 2.1MB
What This Extension Does
Idraw Kit is a lightweight, offline-first web design tool built on iDraw.js that allows users to create web pages and graphics directly in their browser. It stores data locally without requiring high-risk permissions, making it suitable for artists and designers who need a privacy-focused alternative to cloud-based tools like Figma. The extension is currently in early development (Version 0.0.4) with very limited user adoption.
Permissions Explained
- Noneexpected: This extension does not request any special access to your personal data, browsing history, or other websites. It operates entirely within the page it is installed on.
Technical: The manifest declares no host permissions (e.g., <all_urls>) and no specific API permissions (e.g., storage, identity). The extension relies solely on Content Scripts injected into the active tab to function.
Your Data
The extension does not send your design data to external servers for processing. It only connects to public CDNs (like reactjs.org and momentjs.com) to load libraries needed for the editor interface, and it may fetch GitHub resources for updates or documentation.
Technical Details
Code Findings
The code uses a method that inserts HTML directly from user input. While common in design tools, this can be risky if the tool ever allows users to paste untrusted code into their designs.
Technical: Code pattern: element.innerHTML = userInput. This bypasses the browser's default sanitization. If an attacker controls the content being pasted or rendered, they could inject malicious scripts that execute in the context of the current website.
💡 Design tools often need to render user-generated shapes, text, and images. Using innerHTML is a standard performance optimization for rendering large numbers of DOM elements quickly.
The code uses tricks to hide its logic, making it harder for average users or security scanners to read. This is common in open-source projects but can sometimes be used to hide malicious behavior.
Technical: Code pattern: charCodeAt usage and string obfuscation. Developers often encode strings or use dynamic function calls to prevent automated analysis tools from easily parsing the code's intent.
💡 Obfuscation is frequently used to protect intellectual property (IP) in open-source libraries like iDraw.js, preventing others from easily copying the exact implementation.
The code might contain a hidden password or API key that was accidentally left in the source files. If found, this could allow attackers to impersonate the service.
Technical: Code pattern: String literals resembling keys (e.g., const SECRET = '...') found during static analysis. This is often a result of copy-pasting configuration from a development environment into production code.
💡 Developers sometimes test features with dummy credentials before removing them, or they may use environment variables that fail to load correctly in the browser extension context.
The tool talks to other websites using a secure messaging system. This is necessary for loading external fonts or libraries but requires careful handling to prevent data leaks.
Technical: Code pattern: window.postMessage. This allows the extension to send messages between different web pages (e.g., from the design canvas to a library hosted on GitHub).
💡 Essential for Content Scripts to interact with third-party libraries loaded via CDN, ensuring the editor functions correctly without violating security policies.
The extension does not have a strict safety rule set to block malicious scripts. This means if a bug occurs, it might be easier for an attacker to run unwanted code.
Technical: Manifest analysis: No content_security_policy field defined in the manifest.json. Without CSP, the browser relies on default permissive policies which allow inline scripts and eval() calls.
💡 Extensions often omit CSP during early development (v0.0.4) to avoid breaking functionality while they are still debugging their code.
Idraw Kit is a low-risk tool for its intended purpose of offline web design, primarily due to its lack of permissions and local-first architecture. However, the presence of obfuscation and potential hardcoded secrets suggests it is in an early development phase where code hygiene is not yet perfect. Users should be cautious about pasting untrusted content into the editor until these medium-severity findings are resolved.
