We all know that Google does not get its act together and often times failed to detect, when Extensions contained malicious code – and that the culprits have become are very creative in evading the inspection bots.
As happened multiple times in the past, extensions changed their owner and a short time after that started to contain malicious code. Because Google “prevents” downloading of extensions for inspection without installing them first, we must convince them, that it is a legitimate download. In the past there were websites like “Chrome Extensions downloader”, which provided a convenient was to download them, but since Google changed the usual address scheme, those sited broke – but no worry, It is still possible by using a simple bookmarklet.
- Create a new bookmark in Vivaldis Bookmark
- Give it a recognizable name, e.g. “Download Chrome Extension”
- Add a shortcut like e.g. crx
- Copy the following as address:
javascript:location.href='https://clients2.google.com/service/update2/crx?response=redirect&acceptformat=crx2,crx3&prodversion=%27+(navigator.appVersion.match(/Chrome%5C/(%5CS+)/)%5B1%5D)+%27&x=id%%27+%273D%27+(document.querySelector(%27a%5Bhref%5E=%22https://chrome.google.com/webstore/report/%22%5D%27).pathname.match(/%5B%5E%5C/%5D+%5C/*$/)%5B0%5D)+%27%%27+%2726installsource%%27+%273Dondemand%%27+%2726uc%27;
- Click in the bookmarks address field and arrow to the start of the address and, if missing, add javascript: (without quotes) in front of the address.
After all that is done and checked, you can visit the Google Webstore, search for an extension you want to inspect before install, and type “crx” in the address bar, hit “save as” and rename extension_[version number].crx to something sensible.
If successful, you can unpack the Extension with e.g. 7zip and open the files with a Editor of your choice.
Happy inspecting!
Thanks for this javascriptlet 🙂
A handy tip indeed.
However if you want to look at the source code in any extensions before you download them, you can look in https://crxcavator.io
You can look back through previous versions to compare the changes.
There are also open source extensions such as https://github.com/tonystark93/crx-download that will add a download (as zip or crx) option to the page.
nice workaround..
“Because Google “prevents” downloading of extensions for inspection without installing them first, we must convince them, that it is a legitimate download”
Yeaah it’s shame Google are this stupid, of course maybe it’s not stupidity and just evil or a combination retarded lazy development headed up by evil people who couldn’t care less.