TabFloater: Picture-in-Picture for any tab!
Version 2.0.0 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a relatively small user base of 6,000 users with a moderate rating of 3.6 out of 5 stars from 71 reviews, which suggests mixed user experiences. The developer uses a dedicated domain (tabfloater.io) which adds some legitimacy, and the extension's purpose of providing picture-in-picture functionality for browser tabs is clearly stated and useful.
The extension requests extremely broad permissions that raise significant privacy and security concerns. The combination of "tabs" permission with "<all_urls>" host permissions means it can access and manipulate all your browser tabs across every website you visit. The "nativeMessaging" permission allows communication with external applications on your computer, which could potentially be exploited. The "offscreen" permission enables background processing that may not be transparent to users. These permissions collectively provide far more access than typically necessary for a picture-in-picture feature.
Given the high risk level, consider running this extension in a separate Chrome profile dedicated to non-sensitive browsing activities. Avoid using it while accessing banking, email, or other sensitive websites. Monitor the extension's behavior closely and review what data it might be collecting. Consider alternative picture-in-picture solutions with more limited permissions, or use Chrome's built-in picture-in-picture features where available. Regularly review and audit extensions with such broad permissions.
Findings
Security Analysis Details
Required Permissions:
- nativeMessaging
- storage
- tabs
- alarms
- notifications
- offscreen
Host Permissions:
- <all_urls>
Embedded URLs (40 total):
| http://mozilla.org/MPL/2.0/. | https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage | |
| https://github.com/mozilla/webextension-polyfill/issues/130 | https://github.com/mozilla/webextension-polyfill | |
| https://www.getuikit.com | http://www.w3.org/2000/svg | |
| https://www.youtube | https://vimeo.com/api/oembed.json?maxwidth=1920&url= | |
| https://player.vimeo.com/video/ | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| http://www.apache.org/licenses/LICENSE-2.0 | https://codepen.io/zzseba78/pen/PxwmeV | |
| https://codepen.io/AllThingsSmitty/pen/MmxxOz | https://bugzilla.mozilla.org/show_bug.cgi?id=1046835 | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=748518 | https://bugzilla.mozilla.org/show_bug.cgi?id=214004 | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=317933 | https://bugzilla.mozilla.org/show_bug.cgi?id=1271047 | |
| https://www.google-analytics.com/collect | https://support.google.com/analytics/answer/2763052?hl=en | |
| https://www.tabfloater.io/privacy | https://addons.mozilla.org/en-US/firefox/addon/tabfloater/ | |
| https://chrome.google.com/webstore/detail/iojgbjjdoanmhcmmihbapiejfbbadhjd | https://tabfloater-3b3a5.web.app/connect-offscreen.html | |
| https://www.tabfloater.io/uninstall | https://www.tabfloater.io/companion-latest- | |
| https://fonts.googleapis.com/css2?family=Lato:ital | https://www.tabfloater.io/ | |
| https://tabfloater-3b3a5.web.app/ | https://www.tabfloater.io/download | |
| https://forum.vivaldi.net/topic/31027/keyboard-shortcuts-not-working-with-extensions | https://github.com/tabfloater/tabfloater/issues/new/choose | |
| https://github.com/tabfloater/tabfloater/blob/master/LICENSE | https://github.com/tabfloater/tabfloater | |
| https://github.com/tabfloater/tabfloater/issues/new?assignees=&labels=bug&template=bug-report.md&title= | https://www.tabfloater.io/documentation#why-do-i-need-to-install-an-application-on-my-computer-to-use-tabfloater | |
| https://www.tabfloater.io/documentation | https://launchpad.net/~tabfloater/+archive/ubuntu/companion | |
| https://launchpad.net/~ba32107/+archive/ubuntu/tabfloater | https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlazRJmLWlYBPmSrgf5gEmXPtTk6JDnTYtcgB685fp0rjBDZm8BJRtQcsk8wWL1w59ULFYsWGjPa0OSXJfx0xATWM9nX1SlRrXjkmEfQtFokFFq/blVVOU5gsXETBbJh2fGcmXhHxma0qa6/N3JKAMsymyDmfz8igIGWxBK3ps5J+y0Eeqxo2rV1ocnAcX23ieDNSZmUezv4bfpOrB9WJ8jTptkeWHdBj7myNAKpPUJV0Q6oechq96koUG3Dwh4Ru2rdSzWKsTkGh8hVvi38tRgg1E11AFhPammYigjOoWrGL4Ov4PGoRyugrVywAudFywKoHWkvyTiBDRqrW6GJUOwIDAQAB", "name": "TabFloater: Picture-in-Picture for any tab!", "icons": { "16": "images/icons/16.png", "32": "images/icons/32.png", "48": "images/icons/48.png", "128": "images/icons/128.png" }, "action": { "default_icon": { "16": "images/icons/16.png", "32": "images/icons/32.png", "48": "images/icons/48.png", "128": "images/icons/128.png" }, "default_title": "Float tab!" }, "version": "2.0.0", "commands": { "moveUp": { "description": "Unfloat tab / move up", "suggested_key": { "default": "Alt+I" } }, "moveDown": { "description": "Float tab / move down", "suggested_key": { "default": "Alt+K" } }, "moveLeft": { "description": "Move left", "suggested_key": { "default": "Alt+J" } }, "moveRight": { "description": "Move right", "suggested_key": { "default": "Alt+L" } } }, "background": { "type": "module", "service_worker": "js/main.js" }, "options_ui": { "page": "html/options.html", "open_in_tab": true }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "TabFloater allows you to multitask by moving browser tabs into floating windows, similar to “Picture-in-Picture” on TVs.", "permissions": [ "nativeMessaging", "storage", "tabs", "alarms", "notifications", "offscreen" ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "externally_connectable": { "matches": [ "https://tabfloater-3b3a5.web.app/*", "http://localhost:5000/*" ] } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.