Extension Details
Rating:
4.4 ★
(28 ratings)
Users:
4,000
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
HIGH
Risk Level
Trust Factors: The extension has a reasonable user base of 4,000 downloads and a solid 4.4-star rating from 28 reviews, suggesting users find it functional. The specific purpose of viewing JPEG XL files is legitimate and addresses a real need since this format isn't natively supported by Chrome. However, the lack of developer information raises some transparency concerns.
Concerns: The extension's permissions are extremely broad for its stated purpose. Host permissions for all URLs and content script injection across all websites are excessive for a simple image viewer. The unsafe WebAssembly execution policy is particularly concerning as it could hide malicious code. A JPEG XL viewer should theoretically only need to activate on pages containing these specific image files, not have blanket access to all websites and the ability to inject scripts everywhere.
Recommendations: Given the high-risk permissions that seem disproportionate to the extension's function, consider running this in a separate Chrome profile if you need JPEG XL viewing capabilities. Monitor your browsing activity for any unusual behavior. Look for alternative JPEG XL viewers with more restrictive permissions, or consider using standalone image viewing software instead. The WebAssembly execution capability, while potentially necessary for image processing, adds significant risk that warrants caution.
Security Analysis
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Overall Risk
Based on 3 total findings, ranked without considering overall context, including 3 high-risk and 0 medium-risk findings.
HIGH
Broad Content Script Injection
This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
Unsafe WebAssembly Execution
This extension's Content Security Policy allows 'wasm-unsafe-eval', which permits potentially dangerous WebAssembly code execution. This could be used to hide malicious code or perform CPU-intensive operations.
Security Analysis Details
Required Permissions:
- declarativeNetRequest
Host Permissions:
- <all_urls>
Content Security Policy:
- extension_pages: object-src 'self'; script-src 'self' 'wasm-unsafe-eval'
Embedded URLs (15 total):
| https://clients2.google.com/service/update2/crx | http://site.com/etc/etc | |
| http://kripken.github.io/emscripten-site/docs/api_reference/preamble.js.html | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/imul | |
| https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/fround | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/clz32 | |
| https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/trunc | https://github.com/google/closure-compiler/pull/3913 | |
| https://github.com/github/fetch/pull/92#issuecomment-140665932 | https://emscripten.org/docs/getting_started/FAQ.html#how-do-i-run-a-local-webserver-for-testing-why-does-my-program-stall-in-downloading-or-preparing | |
| https://github.com/emscripten-core/emscripten/pull/16917 | https://github.com/google/closure-compiler/issues/3193 | |
| http://en.wikipedia.org/wiki/UTF-8#Description | https://www.ietf.org/rfc/rfc2279.txt | |
| https://tools.ietf.org/html/rfc3629 |
Raw Manifest
{ "name": "JPEG XL Viewer", "icons": { "16": "img/icon_16.png", "24": "img/icon_24.png", "32": "img/icon_32.png", "48": "img/icon_48.png", "64": "img/icon_64.png", "128": "img/icon_128.png", "256": "img/icon_256.png" }, "action": { "default_icon": { "19": "img/icon_19.png", "38": "img/icon_38.png" }, "default_title": "JPEG XL Viewer" }, "version": "0.3.0", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Displays JPEG XL images.", "permissions": [ "declarativeNetRequest" ], "version_name": "0.3.0", "content_scripts": [ { "js": [ "main.js" ], "run_at": "document_start", "matches": [ "<all_urls>" ] } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "minimum_chrome_version": "88", "content_security_policy": { "extension_pages": "object-src 'self'; script-src 'self' 'wasm-unsafe-eval'" }, "declarative_net_request": { "rule_resources": [ { "id": "rules", "path": "rules.json", "enabled": true } ] }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "worker.js", "libjxl.js", "libjxl.wasm" ] } ], "browser_specific_settings": { "gecko": { "id": "jxl@twdb.moe" } } }
Secure Annex (beta)
Coming soon...