Extension Details
Context-Aware Verdict
WhatFont is a well-established font identification tool with an impressive 3 million users and a solid 4.0-star rating from 2,000 reviews. The extension serves a clear, legitimate purpose - helping designers and developers identify fonts on web pages. The developer appears to maintain the extension actively, having updated it to Manifest V3, which demonstrates commitment to modern security standards.
The extension requests activeTab and scripting permissions, which are necessary for its core functionality of analyzing fonts on web pages. While these permissions are appropriate for a font identification tool, they do allow the extension to access and modify content on the currently active tab when the user clicks the extension icon. The scripting permission enables code injection into web pages, which could theoretically be misused if the extension were compromised.
This extension presents minimal risk for most users. The permissions align well with its stated purpose, and the large user base suggests it's trustworthy. However, security-conscious users should be aware that the extension can access page content when activated. For users working with sensitive information, consider using WhatFont only on non-sensitive websites or in a separate Chrome profile dedicated to design work. The extension's popularity and longevity in the Chrome Web Store provide additional confidence in its legitimacy.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- scripting
Embedded URLs (12 total):
| http://mozilla.org/MPL/2.0/. | https://github.com/mozilla/webextension-polyfill/issues/130 | |
| https://clients2.google.com/service/update2/crx | http://chengyinliu.com/whatfont.html | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/2000/svg | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/1999/xhtml | |
| http://fb.me/use-check-prop-types | https://fe1aa23219cc6bc8921f8329253dd665@o4506814553522176.ingest.sentry.io/4506814688657408 |
Raw Manifest
{ "name": "WhatFont", "icons": { "16": "icon16.png", "32": "icon32.png", "48": "icon48.png", "96": "icon96.png", "128": "icon128.png", "256": "icon256.png" }, "action": { "default_icon": { "19": "icon19.png", "38": "icon38.png", "76": "icon76.png" } }, "author": "chengyin.liu@gmail.com", "version": "3.2.0", "background": { "service_worker": "./background/background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "The easiest way to identify fonts on web pages.", "permissions": [ "activeTab", "scripting" ], "homepage_url": "http://chengyinliu.com/whatfont.html", "manifest_version": 3 }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.