I just found the extension and I tried it. But I got immediately suspicious about it, as I do for any software that can access some of my data. I am not implying the extension is malicious or insecure. It is probably secure and respects privacy. But It is hard to audit and the Chrome Extension permissions are not very clear to me. Even after a lot of effort and about an hour trying to understand it.
The source code seems very well organized and very good quality software. So let me explain my thoughts about privacy and security. I don't want to be rude or anything, and I do appreciate the great effort you had to provide this free of charge and all in the open. So I am sending this feedback in the hopes that you find it interesting and to have a conversation about it if you so want to. I don't expect you to change the extension in any way based on this feedback.
Here is what I expected to be able to audit:
- That the extension connects exclusively to fastmail.com and nothing else
- That the extension cannot be updated in the background to connect to somewhere else than fastmail.com
- The extension is not suspiciously collecting any information besides what is essential to use (like the API token and cached info from the fastmail.com masked email API)
Why I could not be sure of the above:
- When installing the extension it does not ask for a list of sites to access. Of course it should access all tabs, but It does not tell me upfront of what requests it is allowed to do in the background
- When I look at the extension source code (not on GitHub, the one actually installed on
~/Library/Application Support/..../[extension_folder]
), it is all minified and in one line, instead of the source files
- Even if I prettify the javascript inside the extension, since you use typescript, it has a lot of wrappers and it is hard to read
- I went ahead and installed the extension anyway. When I add an API token and test it, it is able to show my emails, but no permission dialog popped up, so since it accessed fastmail.com and never asked for anything, I assume the extension could be updated and make requests to any domain anywhere, which means my data could be extracted and sent somewhere
- I am using Brave, but I assume neither Brave nor Chrome has a list of requests the extension did (like the network panel on dev tools) and I also tried to inspect the extension with dev tools and it does not show in the extension debugger (uBlock origin does, but I assume this extension does not run a background page, so it won't show there).
I don't know of extensions enough to understand how I could use this extension and be sure my security and privacy is respected. I use other extensions when they are provided by the vendor (in this case, if it was an official Fastmail extension). I though about installing it from the GitHub source but it is a lot of trouble to build it from scratch. Even if I do, I would need to go through the whole source code before building it. If I download as zip, then the code is all compacted (of course, same as downloaded from the extension store). If I had a 1-to-1 javascript built file maybe I would be able to inspect it.
I also tried to read the extension source code on GitHub. After 20 or 30 minutes I can't find a single line that shows me how the requests are made. Then I found a lot of browser.sync
but this also requires me to understand what the extension pollyfill does, and found out there are a lot of external dependencies I need to inspect to be sure are not compromised as well. I went to the npm dependency page and the Fastmail masked email package it is also provided by you, but then it is another place to audit, and I need to be sure the package on npm is not compromised by third party and is the exact output of your github code.
So I concluded this is a very interesting project, one that I want to use. But Until I have time to go through all the extension and build it myself using local copies of all of you dependencies, I don't want to keep it installed. So I am considering building a simple version from scratch for my own use, with zero dependencies and pure javascript. It might be easier than learning all of your stack. The only library I know is React. So I'll probably not bother learning vite, learning tailwind, and readying all of the code. I now realize why other extensions are often just one large javascript file instead of breaking down in modules like you did. Your code looks great, and I am pretty sure you are very productive with it, as you use a stack you are familiar with. But maybe it is too much for privacy concerning people, the ones that took the time to setup fastmail and masked email feature.
Finally, I just want to remind you that I am sending this feedback in good faith and I am open to conversation, as I find this privacy and security topic very interesting to chat about. And although I am not yet a user of the extension I want you to know I appreciate a lot your effort and contribution of making it open source. Thank you.