Jsonvue
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
JSONView port for Chrome.
Original firefox extension is here: http://benhollis.net/software/jsonview/
Notes:
- JSON is validated using a client-side javascript implementation of JSONLint (http://github.com/zaach/jsonlint)
- this extension displays JSON text compliant with rfc 4627 (http://www.ietf.org/rfc/rfc4627.txt)
- The stylesheet used to display the JSON content can be customized
- JSONP (http://en.wikipedia.org/wiki/JSON#JSONP) is supported
Tags
Privacy Practices
Security Analysis — Jsonvue
Permissions
Code Patterns Detected
External Connections
Package Contents 24 files · 582KB
What This Extension Does
Jsonvue is a browser extension that validates and views JSON documents. It's designed for developers and productivity users, solving the problem of easily checking JSON syntax and formatting. With over 800,000 users, it's a popular tool in its category.
Permissions Explained
- contextMenusexpected: This permission allows Jsonvue to add custom menu items to your browser's context menu.
Technical: The extension uses thechrome.contextMenusAPI to create and manage these menu items, which can be used for various purposes such as displaying JSON data or providing access to settings. - storageexpected: This permission allows Jsonvue to store small amounts of data locally on your device, which is used to remember user preferences and settings.
Technical: The extension uses thechrome.storageAPI to store and retrieve data, which can be accessed by other extensions or malicious scripts if compromised. The risk level for this permission is MEDIUM due to potential data exposure. ⚠ 1
Your Data
Jsonvue accesses local storage on your device and sends requests to various external domains, including GitHub, JSONLint, and CodeMirror. It also uses the Fetch API to make HTTP requests.
Technical Details
chrome.contentScript API.Code Findings
This means that Jsonvue loads JavaScript files from external domains, which can potentially introduce security risks if those scripts are malicious.
Technical: The extension uses the chrome.serviceWorker API to load and execute scripts from external domains, including GitHub and JSONLint. This can be a risk vector for code injection attacks or data exposure.
💡 Loading external scripts is common in legitimate extensions that need to access external resources or services.
This means that Jsonvue uses the document.write() method, which can be exploited by malicious scripts to inject code into web pages.
Technical: The extension uses document.write() in its content script to display JSON data. This can be a risk vector for cross-site scripting (XSS) attacks if an attacker is able to inject malicious code into the page.
💡 Using document.write() is common in legitimate extensions that need to display dynamic content on web pages.
This means that Jsonvue uses the innerHTML property to assign values to HTML elements, which can be exploited by malicious scripts to inject code into web pages.
Technical: The extension uses innerHTML in its content script to display JSON data. This can be a risk vector for XSS attacks if an attacker is able to inject malicious code into the page.
💡 Using innerHTML is common in legitimate extensions that need to display dynamic content on web pages.
This means that Jsonvue uses the String.fromCharCode() method, which can be used for code obfuscation or encryption.
Technical: The extension uses String.fromCharCode() in its content script to encode strings. This can be a risk vector for data exposure if an attacker is able to decode the encoded strings.
💡 Using String.fromCharCode() is common in legitimate extensions that need to encrypt or obfuscate data.
This means that Jsonvue uses the Fetch API to make HTTP requests, which is a common and secure way to access external resources.
Technical: The extension uses the fetch() function in its content script to make HTTP requests. This is a legitimate use of the Fetch API.
💡 Using the Fetch API is common in legitimate extensions that need to access external resources or services.
This means that Jsonvue creates custom menu items in your browser's context menu, which can be used for various purposes such as displaying JSON data or providing access to settings.
Technical: The extension uses the chrome.contextMenus API to create and manage these menu items. This is a legitimate use of the API.
💡 Creating custom menu items is common in legitimate extensions that need to provide additional functionality to users.
This means that Jsonvue uses the postMessage() method to communicate with other scripts or web pages across different origins, which can be a risk vector for data exposure.
Technical: The extension uses postMessage() in its content script to communicate with other scripts or web pages. This can be a risk vector for data exposure if an attacker is able to intercept the messages.
💡 Using postMessage() is common in legitimate extensions that need to communicate with other scripts or web pages across different origins.
This means that Jsonvue sets up event listeners to respond to various events such as page loads or user interactions, which is a common and secure way to interact with web pages.
Technical: The extension uses the addEventListener() method in its content script to set up event listeners. This is a legitimate use of the API.
💡 Setting up event listeners is common in legitimate extensions that need to respond to various events such as page loads or user interactions.
Jsonvue is a useful extension for developers and productivity users, but it has some security concerns due to its use of external scripts, document.write(), and innerHTML assignment. Users should be cautious when installing this extension and ensure that they understand the potential risks involved.
