Whatfont
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Say goodbye to the complexity of developer tools for identifying fonts. With WhatFont, discovering the fonts used on websites becomes as effortless as hovering over text. Want more details? A simple click on any element reveals the styles applied, making it easier than ever to uncover the secrets behind beautiful typography.
Recommended by Wired WebMonkey, Lifehacker, and SwissMiss.
———————————————————————————
History:
• 3.2.0
- Improved toolbar icon compatibility
• 3.1.1
- Removed unnecessary developer logging
• 3.1.0
- Added multiple color format support
• 3.0.1
- Restored escape key to exit
• 3.0.0
- Completely Rewritten: The entire extension has been rebuilt for better performance and usability.
- Updated Permission Model: We've revised permissions to better respect user privacy while maintaining functionalities.
- Refreshed Appearance: The look has been updated for a more modern feel.
- Isolation from Host Website Styling: Ensures WhatFont's appearance is unaffected by the website it's used on.
- Adaptive Toolbar Icon: The toolbar icon now changes based on the system's appearance settings.
- Support for New CSS Color Values: Enhanced support for the latest CSS color values.
• 2.1.0
- A new design thanks to Siddharth Mate
• 2.0.3
- Retina toolbar icon
• 2.0.2
- Fix option page for button styles
• 2.0.1
- Use native screen capturer
• 2.0
- Improved sharing
• 1.7
- Added font services detection for FontDeck (Thanks to Mark Perkins)
- Improved font detecting algorithm
- Improved overall performance
• 1.6.1
- Added color detection for text
• 1.6
- Added a tweet button for instant sharing through Twitter
- Improved style reseting
• 1.5
- Overall restyling
• 1.4.4
- Supported light icon for dark themes
• 1.4.3
- Fixed a bug related to Typekit service detection
• 1.4.2
- Reduced loading time
- Supported HTTPS protocol
• 1.4.1
- Fixed stylesheet bug
• 1.4
- Restructured source code
- Supported font services detection for Typekit and Google Font API
- Fixed toolbar button bug. Second click is now "Exit WhatFont"
Tags
Privacy Practices
Security Analysis — Whatfont
Permissions
Code Patterns Detected
External Connections
Package Contents 19 files · 2.3MB
What This Extension Does
Whatfont is a browser extension that helps users identify fonts on web pages. It provides an easy way to discover the fonts used on websites by hovering over text or clicking on elements. This extension is recommended for developers, designers, and anyone interested in typography.
Permissions Explained
- activeTabexpected: This permission allows Whatfont to access the current web page you're viewing.
Technical: The activeTab permission grants access to the tab's content script injection, which can be used for cross-origin communication and data exchange. This could potentially expose user data if compromised. - scriptingexpected: This permission enables Whatfont to run scripts on web pages, which is necessary for its functionality.
Technical: The scripting permission allows the extension to execute JavaScript code in the context of web pages, potentially exposing user data or allowing malicious code execution if compromised.
Your Data
Whatfont accesses the current web page's content and sends requests to external domains for font detection. It also uses the Fetch API for data exchange.
Technical Details
- www.w3.org
- reactjs.org
- chengyinliu.com
- fb.me
- HTTP
- HTTPS
- cookies
- tokens
Code Findings
This finding indicates that Whatfont uses innerHTML assignment in its code, which could potentially lead to cross-site scripting (XSS) attacks if exploited.
Technical: The extension's content script injects HTML elements with user-controlled data using the innerHTML property. This creates a potential XSS vector if an attacker can manipulate this data.
💡 innerHTML assignment is commonly used in legitimate extensions for dynamic content rendering and manipulation.
This finding suggests that Whatfont uses String.fromCharCode to obfuscate its code, which could make it harder for users to understand what the extension is doing.
Technical: The extension's JavaScript files use String.fromCharCode to encode strings, making it more difficult to analyze and debug the code.
💡 String.fromCharCode is sometimes used in legitimate extensions for encoding sensitive data or obfuscating code to prevent tampering.
Whatfont is a useful extension for identifying fonts on web pages, but it has some security concerns related to its use of innerHTML assignment and String.fromCharCode. Users should be cautious when installing extensions with similar permissions and code patterns.
