Puzzilla Extension
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Enables Puzzilla to analyze historical records in the FamilySearch source linker page to find records that contain a possible new person that is not found in FamilyTree. Without the extension Puzzilla cannot examine the facts in the historical record. Puzzilla does not make any changes to the data in the FamilySearch database.
Tags
Privacy Practices
Security Analysis — Puzzilla Extension
Permissions
Code Patterns Detected
External Connections
Package Contents 10 files · 29KB
What This Extension Does
Puzzilla is a lightweight lifestyle/social extension designed to enhance the FamilySearch genealogy platform. It operates as a content script injected into specific familysearch.org pages, utilizing postMessage for secure cross-origin communication without a background service worker. With minimal permissions and low user adoption, it presents a benign security posture suitable for casual users interested in genealogy tools.
Permissions Explained
- activeTabexpected: This permission allows the extension to run only when you visit specific websites (like FamilySearch), ensuring it cannot track your activity across other sites or read data from unrelated tabs.
Technical: The 'activeTab' host permission grants access to the DOM, storage, and network requests of the currently focused tab. In Manifest V3, this is scoped strictly to the URLs defined in the manifest (e.g., https://familysearch.org/*). If compromised, an attacker could theoretically read page content from that specific domain, but it lacks broad cross-site tracking capabilities.
Your Data
The extension communicates exclusively with its own server (puzzilla.org) and the target site (familysearch.org). It does not appear to collect personal data, send user credentials, or exfiltrate sensitive information beyond what is necessary for its functionality on the specific genealogy pages.
Technical Details
Code Findings
The extension uses a standard, secure method to talk to other websites. This ensures that data sent between the extension and the page it is running on stays within a safe channel and isn't intercepted by malicious scripts.
Technical: The code utilizes the window.postMessage API to establish a communication channel with the parent window (familysearch.org). This prevents direct DOM manipulation or event listener hijacking from external sources. The risk vector here is minimal; if an attacker controls the target site, they could theoretically send messages to the extension, but the extension's lack of broad permissions limits what it can do with that input.
💡 postMessage is the industry-standard mechanism for extensions to interact with third-party websites without violating same-origin policy. It is required for features like 'Add to FamilySearch' buttons or sidebar widgets.
The extension does not enforce strict security rules on the code it runs. While this isn't dangerous by itself, it means the extension relies entirely on the website's own security settings to prevent malicious scripts from running inside it.
Technical: The manifest lacks a content_security_policy field. This defaults to a permissive policy allowing execution of scripts from any source ('unsafe-eval' is often implied or default depending on browser version). An attacker injecting a script into the target page could potentially execute arbitrary code if the extension's context allows it, though the 'activeTab' scope limits this significantly.
💡 Many simple extensions omit CSP to avoid breaking functionality with complex third-party libraries loaded by the host site. Adding a strict CSP often requires significant refactoring of the extension's own code.
Puzzilla Extension demonstrates a high degree of security hygiene for its intended purpose, utilizing scoped permissions and secure communication protocols. The lack of a background service worker and the restriction to specific domains significantly reduce the attack surface. Users can confidently install this extension as it poses no significant privacy or security risks.
