TabFloater: Picture-in-Picture for any tab!
Version 2.0.0 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a moderate user base of 6,000 users with a decent 3.7-star rating from 69 reviews, suggesting some level of community validation. The developer uses a professional domain (tabfloater.io) which adds credibility. The picture-in-picture functionality described aligns with the extension's stated purpose of floating tabs.
The combination of tabs permission with broad host permissions (<all_urls>) creates significant privacy and security risks. The extension can access and manipulate all browser tabs while having unrestricted access to every website you visit. The nativeMessaging permission allows communication with external applications on your system, which could potentially be exploited. The offscreen permission enables background processing that may not be transparent to users. While storage and notifications permissions are reasonable for the functionality, the overall permission set is quite expansive for a tab floating utility.
Consider running this extension in a separate Chrome profile dedicated to non-sensitive browsing activities. Regularly review what tabs you're floating and avoid using it with sensitive websites like banking or personal accounts. Monitor your system for any unexpected native applications that might be communicating with the extension. Given the broad permissions, consider alternative picture-in-picture solutions with more limited scope if available. Keep the extension updated and periodically review its behavior and any changes in permissions.
Findings
Security Analysis Details
Required Permissions:
- nativeMessaging
- storage
- tabs
- alarms
- notifications
- offscreen
Host Permissions:
- <all_urls>
Embedded URLs (40 total):
| http://mozilla.org/MPL/2.0/. | https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage | |
| https://github.com/mozilla/webextension-polyfill/issues/130 | https://github.com/mozilla/webextension-polyfill | |
| https://www.getuikit.com | http://www.w3.org/2000/svg | |
| https://www.youtube | https://vimeo.com/api/oembed.json?maxwidth=1920&url= | |
| https://player.vimeo.com/video/ | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| http://www.apache.org/licenses/LICENSE-2.0 | https://codepen.io/zzseba78/pen/PxwmeV | |
| https://codepen.io/AllThingsSmitty/pen/MmxxOz | https://bugzilla.mozilla.org/show_bug.cgi?id=1046835 | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=748518 | https://bugzilla.mozilla.org/show_bug.cgi?id=214004 | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=317933 | https://bugzilla.mozilla.org/show_bug.cgi?id=1271047 | |
| https://www.google-analytics.com/collect | https://support.google.com/analytics/answer/2763052?hl=en | |
| https://www.tabfloater.io/privacy | https://addons.mozilla.org/en-US/firefox/addon/tabfloater/ | |
| https://chrome.google.com/webstore/detail/iojgbjjdoanmhcmmihbapiejfbbadhjd | https://tabfloater-3b3a5.web.app/connect-offscreen.html | |
| https://www.tabfloater.io/uninstall | https://www.tabfloater.io/companion-latest- | |
| https://fonts.googleapis.com/css2?family=Lato:ital | https://www.tabfloater.io/ | |
| https://tabfloater-3b3a5.web.app/ | https://www.tabfloater.io/download | |
| https://forum.vivaldi.net/topic/31027/keyboard-shortcuts-not-working-with-extensions | https://github.com/tabfloater/tabfloater/issues/new/choose | |
| https://github.com/tabfloater/tabfloater/blob/master/LICENSE | https://github.com/tabfloater/tabfloater | |
| https://github.com/tabfloater/tabfloater/issues/new?assignees=&labels=bug&template=bug-report.md&title= | https://www.tabfloater.io/documentation#why-do-i-need-to-install-an-application-on-my-computer-to-use-tabfloater | |
| https://www.tabfloater.io/documentation | https://launchpad.net/~tabfloater/+archive/ubuntu/companion | |
| https://launchpad.net/~ba32107/+archive/ubuntu/tabfloater | https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlazRJmLWlYBPmSrgf5gEmXPtTk6JDnTYtcgB685fp0rjBDZm8BJRtQcsk8wWL1w59ULFYsWGjPa0OSXJfx0xATWM9nX1SlRrXjkmEfQtFokFFq/blVVOU5gsXETBbJh2fGcmXhHxma0qa6/N3JKAMsymyDmfz8igIGWxBK3ps5J+y0Eeqxo2rV1ocnAcX23ieDNSZmUezv4bfpOrB9WJ8jTptkeWHdBj7myNAKpPUJV0Q6oechq96koUG3Dwh4Ru2rdSzWKsTkGh8hVvi38tRgg1E11AFhPammYigjOoWrGL4Ov4PGoRyugrVywAudFywKoHWkvyTiBDRqrW6GJUOwIDAQAB", "name": "TabFloater: Picture-in-Picture for any tab!", "icons": { "16": "images/icons/16.png", "32": "images/icons/32.png", "48": "images/icons/48.png", "128": "images/icons/128.png" }, "action": { "default_icon": { "16": "images/icons/16.png", "32": "images/icons/32.png", "48": "images/icons/48.png", "128": "images/icons/128.png" }, "default_title": "Float tab!" }, "version": "2.0.0", "commands": { "moveUp": { "description": "Unfloat tab / move up", "suggested_key": { "default": "Alt+I" } }, "moveDown": { "description": "Float tab / move down", "suggested_key": { "default": "Alt+K" } }, "moveLeft": { "description": "Move left", "suggested_key": { "default": "Alt+J" } }, "moveRight": { "description": "Move right", "suggested_key": { "default": "Alt+L" } } }, "background": { "type": "module", "service_worker": "js/main.js" }, "options_ui": { "page": "html/options.html", "open_in_tab": true }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "TabFloater allows you to multitask by moving browser tabs into floating windows, similar to “Picture-in-Picture” on TVs.", "permissions": [ "nativeMessaging", "storage", "tabs", "alarms", "notifications", "offscreen" ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "externally_connectable": { "matches": [ "https://tabfloater-3b3a5.web.app/*", "http://localhost:5000/*" ] } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.