Web Developer

Name: Security Analysis: Web Developer
Item: Web Developer
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 1M+ users

📦 v3.0.1

💾 574KiB

📅 2024-06-29

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

The Web Developer extension adds a toolbar button to the browser with various web developer tools. This is the official port of the Web Developer extension for Firefox.

--------------------

The best place for support is not in the reviews section below, but on the Web Developer site in the help:

https://chrispederick.com/work/web-developer/help/

Also available there are a full set of release notes:

https://chrispederick.com/work/web-developer/history/chrome/

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v3.0.1 Info Scanned Mar 6, 2026

Security Analysis — Web Developer

Analyzed v3.0.1 · Mar 6, 2026 · 48 JS files · 1573 KB scanned

Permissions

Code Patterns Detected

External Connections

www.w3.org github.com codemirror.net validator.w3.org search.google.com marijnhaverbeke.nl www.cynthiasays.com wave.webaim.org html.spec.whatwg.org chrispederick.com jigsaw.w3.org www.nslookup.io +8 more

Package Contents 175 files · 2.1MB

▾📁_locales27KB

▾📁en_US27KB

{}messages.json27KB

▾📁_metadata24KB

{}verified_contents.json24KB

▾📁about4KB

▾📁css

🎨about.css274B

▾📁js1KB

📜about.js1KB

🌐about.html2KB

▾📁background18KB

📜background.js18KB

▾📁common44KB

📜common.js25KB

📜cookies.js6KB

📜css.js7KB

📜locales.js1KB

📜storage.js6KB

▾📁content64KB

📜content.js64KBlarge

▾📁embedded107KB

▾📁css6KB

▾📁dashboard2KB

▾📁external1KB

🎨dashboard.css1KB

🎨element-information.css95B

▾📁internal

🎨dashboard.css642B

▾📁toolbar5KB

▾📁external4KB

🎨color-picker.css36B

🎨line-guides.css1KB

🎨ruler.css2KB

🎨toolbar.css1KB

▾📁internal

🎨color-picker.css142B

🎨line-guides.css119B

🎨toolbar.css199B

▾📁js101KB

▾📁dashboard49KB

📜dashboard.js8KB

📜edit-css.js8KB

📜element-information.js33KB

▾📁toolbar51KB

📜color-picker.js9KB

📜line-guides.js19KB

📜ruler.js23KB

▾📁features278KB

▾📁css16KB

▾📁css

🎨use-border-box-model.css124B

▾📁forms6KB

🎨display-form-details.css6KB

🎨outline-form-fields-without-labels.css93B

▾📁images

🎨display-image-dimensions.css47B

🎨hide-background-images.css60B

🎨hide-images.css94B

🎨make-images-invisible.css62B

🎨outline-all-images.css108B

🎨outline-background-images.css84B

🎨outline-images-with-adjusted-dimensions.css98B

🎨outline-images-with-empty-alt-attributes.css55B

🎨outline-images-with-oversized-dimensions.css98B

🎨outline-images-without-alt-attributes.css57B

🎨outline-images-without-dimensions.css74B

▾📁information3KB

🎨display-abbreviations.css130B

🎨display-aria-roles.css63B

🎨display-div-dimensions.css47B

🎨display-div-order.css47B

🎨display-link-details.css599B

🎨display-object-information.css538B

🎨display-table-information.css116B

🎨display-topographic-information.css2KB

▾📁miscellaneous

🎨linearize-page.css129B

▾📁outline5KB

🎨outline-block-level-elements-before.css1KB

🎨outline-block-level-elements.css217B

🎨outline-deprecated-elements-before.css651B

🎨outline-deprecated-elements.css108B

🎨outline-floated-elements.css82B

🎨outline-frames.css131B

🎨outline-headings-before.css424B

🎨outline-headings.css150B

🎨outline-non-secure-elements.css169B

🎨outline-positioned-elements.css282B

🎨outline-table-captions.css98B

🎨outline-table-cells-before.css667B

🎨outline-table-cells.css562B

🎨outline-tables.css396B

🎨before.css1KB

▾📁js262KB

📜css.js40KB

📜forms.js59KBlarge

📜images.js47KB

📜information.js53KBlarge

📜miscellaneous.js30KB

📜outline.js34KB

▾📁generated134KB

▾📁css1KB

🎨common.css785B

🎨view-color-information.css91B

🎨view-document-outline.css300B

🎨view-javascript.css187B

🎨view-responsive-layouts.css80B

▾📁js79KB

📜common.js15KB

📜find-broken-images.js2KB

📜find-duplicate-ids.js2KB

📜validate-local.js344B

📜view-anchor-information.js2KB

📜view-color-information.js2KB

📜view-cookie-information.js21KB

📜view-css.js3KB

📜view-document-outline.js3KB

📜view-form-information.js6KB

📜view-image-information.js5KB

📜view-javascript.js5KB

📜view-link-information.js2KB

📜view-meta-tag-information.js3KB

📜view-response-headers.js2KB

📜view-responsive-layouts.js5KB

🌐find-broken-images.html3KB

🌐find-duplicate-ids.html3KB

🌐validate-local-css.html1KB

🌐validate-local-html.html944B

🌐view-anchor-information.html3KB

🌐view-color-information.html4KB

🌐view-cookie-information.html7KB

🌐view-css.html4KB

🌐view-document-outline.html3KB

🌐view-form-information.html4KB

🌐view-image-information.html3KB

🌐view-javascript.html5KB

🌐view-link-information.html3KB

🌐view-meta-tag-information.html3KB

🌐view-response-headers.html2KB

🌐view-responsive-layouts.html4KB

▾📁img69KB

▾📁logos69KB

▾📁color26KB

🖼128.png6KB

🖼16.png687B

🖼256.png13KB

🖼32.png1KB

🖼48.png2KB

🖼64.png3KB

▾📁gray26KB

🖼128.png6KB

🖼16.png680B

🖼256.png13KB

🖼32.png1KB

🖼48.png2KB

🖼64.png3KB

▾📁monochrome17KB

🖼128.png4KB

🖼16.png400B

🖼256.png9KB

🖼32.png938B

🖼48.png1KB

🖼64.png2KB

🖼transparent.png68B

▾📁lib1.1MB

▾📁bootstrap353KB

🎨bootstrap.css274KB

📜bootstrap.js79KBlarge

▾📁codemirror502KB

🎨codemirror.css9KB

📜codemirror.js393KBlarge

📜css.js40KB

📜htmlmixed.js6KB

📜javascript.js38KB

🎨latte.css2KB

🎨mocha.css2KB

📜xml.js13KB

📜beautify.js146KBlarge

📜mustache.js25KB

📜purify.js66KBlarge

🎨reset.css1KB

▾📁options67KB

▾📁css

🎨options.css463B

🎨syntax-highlight.css296B

▾📁js48KB

📜options.js46KB

📜syntax-highlight.js2KB

🌐options.html17KB

🌐syntax-highlight.html1KB

▾📁overlay192KB

▾📁css1KB

🎨overlay.css1KB

▾📁js152KB

📜overlay.js152KBlarge

🌐overlay.html38KB

▾📁svg40KB

▾📁donate

🖼icons.svg737B

▾📁icons7KB

🖼icons.svg7KB

▾📁logos5KB

▾📁color2KB

🖼logo.svg2KB

▾📁gray2KB

🖼logo.svg2KB

▾📁monochrome

🖼logo.svg982B

▾📁options11KB

🖼advanced.svg2KB

🖼colors.svg703B

🖼general.svg4KB

🖼resize.svg1021B

🖼responsive.svg760B

🖼tools.svg2KB

▾📁overlay16KB

▾📁color16KB

🖼cookies.svg977B

🖼css.svg3KB

🖼disable.svg751B

🖼forms.svg833B

🖼images.svg629B

🖼information.svg1KB

🖼miscellaneous.svg1KB

🖼options.svg4KB

🖼outline.svg1KB

🖼resize.svg1021B

🖼tools.svg2KB

📄license.txt35KB

{}manifest.json1KB

What This Extension Does

The Web Developer extension adds a toolbar button with various web developer tools, primarily for developers. It provides features such as debugging, validation, and code inspection. With over 1 million users, it's a popular productivity tool.

Permissions Explained

browsingDatacheck this: This permission allows the extension to access browsing data, including history, cookies, and other site-specific information.
Technical: The extension can access browsing data through the chrome.browsingData API, which includes methods for deleting, getting, and setting browsing data. This could potentially allow an attacker to manipulate user browsing behavior or steal sensitive information. ⚠ 1
contentSettingscheck this: This permission allows the extension to manage content settings, such as allowing or blocking certain types of content.
Technical: The extension can access and modify content settings through the chrome.contentSettings API. This could potentially allow an attacker to manipulate user browsing behavior or inject malicious content. ⚠ 1
cookiescheck this: This permission allows the extension to access and modify cookies on websites.
Technical: The extension can access and modify cookies through the chrome.cookies API. This could potentially allow an attacker to steal sensitive information or inject malicious content. ⚠ 1
historycheck this: This permission allows the extension to access browsing history.
Technical: The extension can access browsing history through the chrome.history API. This could potentially allow an attacker to manipulate user browsing behavior or steal sensitive information. ⚠ 1
scriptingcheck this: This permission allows the extension to execute scripts on websites.
Technical: The extension can execute scripts through the chrome.scripting API. This could potentially allow an attacker to inject malicious content or steal sensitive information. ⚠ 1
storagecheck this: This permission allows the extension to access and modify browser storage.
Technical: The extension can access and modify browser storage through the chrome.storage API. This could potentially allow an attacker to steal sensitive information or inject malicious content. ⚠ 1
tabscheck this: This permission allows the extension to access and modify tabs in the browser.
Technical: The extension can access and modify tabs through the chrome.tabs API. This could potentially allow an attacker to manipulate user browsing behavior or inject malicious content. ⚠ 1
<all_urls>check this: This permission allows the extension to access all websites, including those that are not explicitly listed in the manifest file.
Technical: The extension can access all websites through the chrome.tabs API and the chrome.contentSettings API. This could potentially allow an attacker to inject malicious content or steal sensitive information on any website. ⚠ 1

Your Data

The extension accesses browsing data, cookies, history, and storage, and sends requests to various websites, including https://chrispederick.com/ and https://github.com/. It also captures keystrokes and runs on all websites.

Technical Details

The extension makes XHR requests to the following domains: www.w3.org, github.com, codemirror.net, validator.w3.org, search.google.com, marijnhaverbeke.nl, www.cynthiasays.com, wave.webaim.org, html.spec.whatwg.org, chrispederick.com, jigsaw.w3.org, and www.nslookup.io. It also uses the Fetch API to make requests to these domains. The extension captures keystrokes through the chrome.input.ime API and runs on all websites due to the <all_urls> permission.

Code Findings

innerHTML assignment — potential XSS vectorMedium

The extension uses innerHTML assignments, which can be a potential cross-site scripting (XSS) vulnerability if not properly sanitized.

Technical: The extension uses the innerHTML property to assign HTML content to elements. This could potentially allow an attacker to inject malicious code if the content is not properly sanitized.

💡 This pattern is commonly used in legitimate extensions for rendering dynamic content.

insertAdjacentHTML — potential XSSMedium

The extension uses insertAdjacentHTML, which can be a potential cross-site scripting (XSS) vulnerability if not properly sanitized.

Technical: The extension uses the insertAdjacentHTML method to append HTML content to elements. This could potentially allow an attacker to inject malicious code if the content is not properly sanitized.

💡 This pattern is commonly used in legitimate extensions for rendering dynamic content.

charCodeAt (obfuscation)Medium

The extension uses charCodeAt, which can be a potential obfuscation technique to hide malicious code.

Technical: The extension uses the charCodeAt method to extract characters from strings. This could potentially be used as an obfuscation technique to hide malicious code.

💡 This pattern is commonly used in legitimate extensions for string manipulation.

Makes XHR requestsInfo

The extension makes XHR requests to various websites, which can be a normal behavior for an extension that needs to fetch data from the web.

Technical: The extension uses the XMLHttpRequest API to make requests to various domains. This is a normal behavior for an extension that needs to fetch data from the web.

💡 This pattern is commonly used in legitimate extensions for fetching data from the web.

Uses Fetch APIInfo

The extension uses the Fetch API to make requests to various websites, which can be a normal behavior for an extension that needs to fetch data from the web.

Technical: The extension uses the Fetch API to make requests to various domains. This is a normal behavior for an extension that needs to fetch data from the web.

💡 This pattern is commonly used in legitimate extensions for fetching data from the web.

Creates script elements dynamicallyHigh

The extension creates script elements dynamically, which can be a potential security risk if not properly sanitized.

Technical: The extension uses the document.createElement method to create script elements dynamically. This could potentially allow an attacker to inject malicious code if the content is not properly sanitized.

💡 This pattern is commonly used in legitimate extensions for rendering dynamic content.

Reads browser storageHigh

The extension reads browser storage, which can be a potential security risk if not properly sanitized.

Technical: The extension uses the chrome.storage API to read browser storage. This could potentially allow an attacker to steal sensitive information or inject malicious content.

💡 This pattern is commonly used in legitimate extensions for storing and retrieving data.

Accesses browser cookiesHigh

The extension accesses browser cookies, which can be a potential security risk if not properly sanitized.

Technical: The extension uses the chrome.cookies API to access and modify cookies. This could potentially allow an attacker to steal sensitive information or inject malicious content.

💡 This pattern is commonly used in legitimate extensions for storing and retrieving data.

Captures keystrokesCritical

The extension captures keystrokes, which can be a significant security risk if not properly sanitized.

Technical: The extension uses the chrome.input.ime API to capture keystrokes. This could potentially allow an attacker to steal sensitive information or inject malicious content.

💡 This pattern is commonly used in legitimate extensions for providing keyboard shortcuts or input handling.

Runs on ALL websitesCritical

The extension runs on all websites, which can be a significant security risk if not properly sanitized.

Technical: The extension uses the <all_urls> permission to run on all websites. This could potentially allow an attacker to inject malicious content or steal sensitive information on any website.

💡 This pattern is commonly used in legitimate extensions for providing cross-site functionality.

Broad host permissionsCritical

The extension has broad host permissions, which can be a significant security risk if not properly sanitized.

Technical: The extension uses the <all_urls> permission to access all websites. This could potentially allow an attacker to inject malicious content or steal sensitive information on any website.

💡 This pattern is commonly used in legitimate extensions for providing cross-site functionality.

Creates iframe elementsMedium

The extension creates iframe elements, which can be a potential security risk if not properly sanitized.

Technical: The extension uses the document.createElement method to create iframe elements dynamically. This could potentially allow an attacker to inject malicious content if the content is not properly sanitized.

💡 This pattern is commonly used in legitimate extensions for rendering dynamic content.

Sets up event listenersInfo

The extension sets up event listeners, which can be a normal behavior for an extension that needs to handle user interactions.

Technical: The extension uses the addEventListener method to set up event listeners. This is a normal behavior for an extension that needs to handle user interactions.

💡 This pattern is commonly used in legitimate extensions for handling user interactions.

Bottom Line

The Web Developer extension has several security concerns, including potential XSS vulnerabilities, broad host permissions, and the ability to capture keystrokes. While it provides useful functionality for developers, users should exercise caution when installing this extension and ensure that they understand its capabilities and limitations.