Hacker News new | past | comments | ask | show | jobs | submit login

For technical reasons beyond my control, SingleFile injects a (very small) script when the page loads even if you don't click on the button. It could also send any data to a third party server. Unfortunately, it is therefore impossible for me to technically and formally guarantee that SingleFile cannot behave maliciously. Note however that the extension has the status "recommended" on Firefox and that it undergoes a manual code review by Mozilla at each update.



On Chrome you can go into extension settings and adjust permissions so SingleFile only has permissions “on click”. Then it won’t/can't inject that little JS snippet into a page until you actually want to use the extension. The only downside is that after enabling you then have to refresh the page for the extension to do its work.

I wish this behavior was more well known and encouraged by Google.


You are absolutely right, thanks for the suggestion! I had totally forgotten about this feature.


Could you please elaborate what script is injected, that reason and why it is that out of your control? Thank you


I will do it, but it will take me some time to explain it and rather than answering on HN I will integrate it in the FAQ. I created an issue for this here: https://github.com/gildas-lormeau/SingleFile/issues/885.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: