CRX id
apcghpabklkjjgpfoplnglnjghonjhdl
apcghpabklkjjgpfoplnglnjghonjhdl
Description from extension meta
An extension to shine light on the Project Fugu 🐡 APIs web apps want to use.
Image from store
Description from store
How it works
API data
The raw data for the different Project Fugu 🐡 APIs is curated in a spreadsheet, which is then turned into JavaScript, so keeping the list of APIs updated is hopefully a straightforward task.
API detection
The extension monitors the requests a page makes via the chrome.webRequest.onBeforeRequest.addListener() API. Each response body, grouped by main frame, JavaScript, and Web App Manifest response bodies, is then run through a set of regular expressions like /navigator\.hid\.requestDevice\s*\(/g to determine if the code hints at a Project Fugu 🐡 API potentially being used.
Browser support detection
Most Project Fugu 🐡 APIs are easily feature-detectable by checking for the existence of interfaces or properties, for example, as in 'BarcodeDetector' in window. Other APIs require a ServiceWorkerRegistration, but luckily the popup window in Manifest V3 extensions uses a service worker, so it can be used via an IIFE that can be run in the client or the service worker. An example is (async () => 'periodicSync' in (await navigator.serviceWorker?.ready || self.registration))().
The support categories are listed below:
✔️ Supported by your browser.
🚫 Not supported by your browser.
🤷 Support unknown for your browser. (The only way to know would be user-agent sniffing.)
Deep-linking
The extension makes use of Text Fragment URLs to deep-link to the occurrence of a detected API, for example https://airhorner.com/scripts/main.min.js#:~:text=navigator.setAppBadge(. For main frame documents, the source code gets rendered in a helper HTML page controlled by the extension, since it is impossible to link to view-source: protocol links.
Limitations
• The chrome.webRequest.onBeforeRequest.addListener() API unfortunately does not "see" requests that are handled by a service worker (crbug.com/766433). There are three possible workarounds for this:
- Hard-reload via ⌘/ctrl+shift+r.
- Open DevTools and check the Bypass for network checkbox in the Service Worker section of the Application tab.
- Clear storage in the Storage section of the Application tab.
• The extension only does static code analysis, that is, there is no guarantee that the app actually uses the code snippet where a Project Fugu 🐡 API was detected.
• Heavily minified code will not be detected. For example, if an app minifies navigator.clipboard.write() to const nav = navigator; nav.clipboard.write(), the extension will not detect this.
License
Apache 2.0.