Alternatively, for the use cases not needing to be in-browser, why restricting to extensions? Your platform has full featured apps doing the job out of the browser:
- Linux: I use http://shutter-project.org/
- Windows: I use (payware, but worth it, it does a lot) http://www.faststone.org/FSCaptureDetail.htm , or (foss) http://getgreenshot.org/
xwd | xwdtopnm | pnmtojpeg > /tmp/screenshot.jpg
Then click on the window you want to capture.
[0] https://chrome.google.com/webstore/detail/screen-capture-by-...
I find it very hard to verify that an extension needs that to take screenshots, but now I have disabled that as well.
I guess the only real way to fix this is using something like PhantomJS to take pictures of public websites.
[0] https://chrome.google.com/webstore/detail/full-page-screen-c...
https://github.com/mrcoles/full-page-screen-capture-chrome-e...
It’s malware & spyware free. I built the extension to take a screen cap of a seating chart that I built as a web page for my wedding—since all the other extensions at the time were broken. Why a web page for my seating chart? IDK, I wanted to play with CSS3 columns, alas I should have used photoshop…
I have been contacted by people who want to buy the extension, but it seems too dangerous, since they could easily install their own malware—I wonder if anything like this happened to “Awesome Screenshot”? My own conscience and, more importantly, my personal brand is too important to me to sell it.
In terms of the permissions, when I built it, I had to ask for those permissions in order to make it work. If you find any changes to chrome permissions that let me ask for fewer, please let me know or, better, submit a pull request.
Also, instead of PhantomJS, if you have a Mac, try out `webkit2png`, which works great as long as you don't need to login or interact with a page before the screenshot:
I run the Ghostery extension and a year or so ago I noticed that when visiting YouTube ~15 analytic trackers were being blocked. Turns out a couple of extensions were injecting tens of trackers into popular sites (without my express permission), and I would have had no idea unless I had another extension to block and report this activity.
My girlfriends computer is worse - her extensions seem to inject actual adverts into lots of her pages. I asked her why there was an obnoxious "click the bottle to win 1000000$" flash advert on Facebook and she thought it was just how Facebook is. Same thing for YouTube and other popular sites.
I just downloaded the app and went hunting. It indeed connect to some service, more specifically it creates a webview (think iframe but better separated) with url "https://www.diigo.com/account/thirdparty/openid?openid_url=h... (which you should totally not access with a logged in google account, or in any other way).
It then adds several callbacks one of which handles loading stopped which causes the app to send a command "handshake" to the app. I have so far found two, one of which is a response to the handshake and the other is a command "launch" which opens the index.html command with a given title and data url.
This shit has China written all over it - and I mean so literally because the bg.js file has the following user information at the top, with a Chinese date:
/ * User: xiaoge * At: 14-5-19 5:52下午 * Email: abraham1@163.com */
Will keep digging. So far I haven't found out what it is it sends, but it does request access to both your google drive account and (most worringly) to your EMAIL.
This is definite no install.
_Edit_: Remember what I said about your email info? Awesome screenshot can upload your screenshots to your gdrive, it does so using oauth2, which tells us the client that has access to it. In this case the app signs in as awesomescreenshot.com/client, but use https://secure.diigo.com/kree as the actual signin url - which means that they now have access to your gdrive files.
In addition to this on Firefox at least I invoke about:config and make several settings changes:
- I disable prefetch.
- I disable media.peerconnect.
- I disable geo tracking.
- I disable HTTP/S referer.
- I disable DOM storage.
- I disable visited link tracking.
I also use EasyList, EasyPrivacy, and Malware domains adblock subscriptions.
In addition, as a Linux user, I want to use Flash on those sites that use it, but I don't want to deal with LSOs tracking me, so I take advantage of Flash by sending those LSOs to /dev/null. The Website is none the wiser and I get the benefit of the Website.
rm -rf .adobe
rm -rf .macromedia
ln -s /dev/null .adobe
ln -s /dev/null .macromedia
Surf with relative comfort knowing that you've already paid for your Internet connection with cash, no need to give away more of your privacy than needed. Blocking ads is great if you use any social media, as you don't have to see the sodden ads.
Usually stay wary of signing up for anything which tilts towards 3.
Then there are also the miscellaneous services run by someone on the internet mostly for themselves or a small community (or just to get some publicity for themselves) which are also free and don't run on ads, selling data or subscription. I do that, myself. Do you trust Naptha[0]? It was posted on HN some time ago, from the comments[1] I don't even see anyone bringing up the issue of trust.
Due to their response and lack of ability to understand security issues I stopped using them, it's a shame to see they are not any better after 6 years!
Is that part of SimilarWeb Pro? It's not clear from the website how their service could be used to monitor the web client traffic of specific companies. An independent reference on the quoted claim would be helpful.
