迅雷下载支持

Name: Security Analysis: 迅雷下载支持
Item: 迅雷下载支持
Rating: 1
Author: ChromeBoard

🔍 Security Report Available

👥 39M+ users

📦 v3.52.14

💾 266KiB

📅 2025-10-29

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Lets you easily download multiple links from web pages with a single click, as well as online videos, making it convenient for those who frequently need to download files or watch content online. The extension is particularly useful for users who rely on Xunlei's downloading capabilities and want to streamline their browsing experience. With its "多选下载" mode, you can quickly grab multiple links from a webpage without having to manually select each one.

Overview

该扩展用于实现迅雷接管Chrome浏览器的下载请求，方便的“多选下载”模式可以快速下载网页中的多个链接，并支持下载网页中的在线视频。

【注意】
1、非迅雷X官方客户端可能会无法使用！
2、如有问题及建议请加QQ群：578739634

【更新信息】
.2025-10.29 更新至3.52.14，修复已知问题
.2025-09.02 更新至3.52.13，插件接管下载后，允许用户返回浏览器下载
.2025-08.26 更新至3.52.12，解决自动开启多选快捷键shift+D带来的快捷键冲突问题
.2025-08.13 更新至3.52.11，解决个别站点自动触发下载问题
.2025-03.31更新至3.52.10：支持 Huggingface 魔搭等大模型文件的一键批量下；支持wiki内的磁力链接支持唤起迅雷
.2024-12-27更新至3.52.9：修复bug
.2024-12-25更新至3.52.8：优化在线视频站点适配
.2024-11-18更新至3.52.7：优化使用代理后插件失效的问题
.2024-11-18更新至3.52.6：优化插件小文件下载体验，修复已知问题
.2024-10-24更新至3.52.5：优化下载流程，修复已知问题
.2024-09-05更新至3.52.4：修复已知bug
.2024-09-04更新至3.52.3：修复已知bug
.2024-07-31更新至3.52.1：修复已知bug
.2024-04-23更新至3.51：修复PC卸载后点击下载链接无反应
.2024-04-03更新至3.50：修复PC卸载后点击下载链接无反应
·2024-02-27更新至3.49：修复了部分已知问题
·2024-01-03更新至3.48：修复了部分已知问题
·2023-12-29更新至3.47：【下载视频】兼容新视频格式
·2023-12-18更新至3.46：修复了部分已知问题
·2023-12-12更新至3.45：修复了部分已知问题
·2023-12-07更新至3.44：修复了部分站点【存云盘】样式错误
·2023-11-17更新至3.43：修复了Mac端空白标签页无法接管下载的问题
·2023-10-20更新至3.42：修复了部分已知问题
·2023-09-07更新至3.41：修复了部分已知问题
·2023-08-30更新至3.40：上线老用户回归礼遇活动
·2023-08-21更新至3.39：修复了部分已知问题
·2023-08-08更新至3.38：支持网页链接【存云盘】，存云盘功能需与迅雷12客户端（12.0.0及以上版本）联动使用
·2023-08-02更新至3.37：修复了部分站点无法调起下载的问题
·2023-06-12更新至3.36：修复了部分已知问题
·2023-04-21更新至3.35：优化了部分下载体验
·2023-02-09更新至3.34：支持【投屏在线视频】，投屏功能需与迅雷11客户端（11.4.2及以上版本）联动使用
·2022-09-19更新至3.33：优化了部分下载体验
·2022-08-31更新至3.32：插件修复页面失活时，点击插件图标出现弹出失败；修复部分页面接管异常等BUG；修复下载结果异常的问题
·2022-08-12更新至3.31：插件支持window平台chrome和mac平台chrome；修复取消接管异常功能及扩展升级MV3协议
·2022-04-29更新至3.30：修正部分文件下载乱码的问题，优化下载接管
·2021-07-16更新至3.29：新增【图片批量下载】功能
·2021-03-19更新至3.27：继续修正影响网页样式的问题
·2021-03-19更新至3.26：修正影响网页样式的问题
·2021-03-15更新至3.25：采用重新设计的未安装迅雷对话框
·2021-02-04更新至3.24：修正在【飞书文档】中按下Shift+D误触发【多选下载】的问题
·2020-10-22更新至3.23：修正部分下载请求无法接管的问题
·2020-05-26更新至3.22：新增“多选下载”快捷键开关
·2020-01-06更新至3.20：鼠标焦点处于编辑框时，不触发多选下载快捷键。
·2019-11-28更新至3.19：默认下载接管更加可靠了，因此移除强力接管功能。并修正部分邮箱附件无法下载的问题。
·2019-11-19更新至3.18：继续修正部分站点Cookie传递错误的问题。
·2019-11-19更新至3.17：修正在视频元素上点右键进入“多选下载模式”后，无法退出该模式的问题
·2019-11-18更新至3.16：新增“多选下载”模式（快捷键Shift+D）。修正部分站点Cookie传递错误的问题。
·2019-11-08更新至3.15：修正先安装扩展，后安装迅雷X时，无法接管下载请求的问题。
·2019-10-22更新至3.14：实时同步迅雷X的不接管站点列表。
·2019-10-15更新至3.13：修正无法接管左键点击下载请求的问题。
·2019-10-12更新至3.12：优化“在线视频检测”功能的兼容性。
·2019-10-10更新至3.11：新增“在线视频检测”功能，可在工具栏菜单中关闭。
·2019-07-23更新至3.10：修正某些302跳转无法捕获下载的问题。修正某些页面引用页为空，导致无法取消接管的问题
·2019-05-17更新至3.8：优化默认接管实现方法，大幅提升未“开启强力接管”时的接管成功率
·2019-04-02更新至3.6：修正无法接管百度搜索结果列表中的下载请求的问题
·2019-03-27更新至3.5：恢复更新，兼容迅雷X、迅雷9，解决老版本的一些问题
·2014-08-08更新至3.1：采用Native Messaging API实现，支持最新版本Chrome浏览器，包括64位版本。支持按Ctrl键点击下载地址时不拉起迅雷。
·2014-05-22更新至2.12：在2.10版本基础上，解决弹出“true”提示的问题
·2014-05-16更新至2.11：临时更新到2.11，代码回退至2.9，解决弹出“true”提示的问题
·2014-05-16更新至2.10：地址栏右侧“迅雷”图标增加“监视动态链”选项（即“Chrome Downloads API”的支持开关）。解决可能栈溢出引起崩溃的问题
·2014-04-17更新至2.9：修正Chrome更新至34之后，地址栏右侧迅雷图标中菜单点击无效的问题。
·2014-04-02更新至2.8：扩展所包含dll加数字签名。
·2014-03-18更新至2.6：采用Chrome Downloads API实现下载请求监视，大幅提升监视准确性！
·2013-10-11更新至2.5：在Chrome工具栏增加迅雷扩展的入口，可设置“启用迅雷Chrome支持、本页面不关联迅雷、本网站不关联迅雷”并增加反馈建议的菜单项。
·2013-08-28更新至2.4：优化动态链接监视逻辑，只监听常用下载站点的动态链
·2013-06-25更新至2.1：支持动态链接的监视。支持从迅雷7客户端的监视设置中获取监视文件类型
·2013-02-04更新至1.11：修正右键使用迅雷下载时，Cookie参数格式不正确的问题
·2013-01-04更新至1.10：支持Cookie参数传递
（例如：使用Chrome浏览器拉起迅雷下载“迅雷快传”上的文件，将获得更快的下载速度）
·2012-09-19更新至1.9：支持最新版本Chrome

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v3.52.14 Critical Scanned Feb 25, 2026

Security Analysis — 迅雷下载支持

Analyzed v3.52.14 · Feb 25, 2026 · 14 JS files · 350 KB scanned

Permissions

Code Patterns Detected

External Connections

down.sandai.net mac.xunlei.com www.xunlei.com www.w3.org api-shoulei-ssl.xunlei.com static-xl.a.88cdn.com jsq.xunlei.com sl-m-ssl.xunlei.com misc-xl9-ssl.xunlei.com github.com

What This Extension Does

This extension enables Chrome users to redirect downloads to the Xunlei client for faster, more efficient downloading. It supports multi-select download mode, video streaming capture, and integrates with Xunlei's desktop application via native messaging. The extension is intended for users who rely on Xunlei for file management and want seamless integration within their browser.

Permissions Explained

contextMenusexpected: Allows the extension to add custom menu items in the browser context, such as right-click options or toolbar buttons. This is typical for extensions that enhance user interaction with web content.
Technical: Uses Chrome's Context Menus API to create and manage menus. Can be used to inject actions into pages but does not access page content directly unless combined with other permissions like 'scripting'.
cookiesexpected: Gives the extension permission to read and modify cookies, which are small data files used by websites for tracking sessions or preferences. This is often needed when interacting with web services.
Technical: Accesses cookie data via Chrome's Cookies API; allows reading/writing of session tokens or authentication-related information from sites visited in the browser.
tabsexpected: Enables the extension to access and manipulate tabs, such as viewing tab URLs or closing them. Useful for managing browsing sessions or redirecting downloads.
Technical: Uses Chrome's Tabs API to retrieve active tab information, navigate tabs, or manage browser windows — potentially useful in hijacking download behavior across tabs.
webRequestexpected: Allows the extension to monitor and intercept network requests made by the browser. This is essential for capturing downloads before they are handled natively.
Technical: Uses Chrome's Web Request API to observe HTTP(S) traffic, including download initiation events. Can be used to redirect or block certain types of requests depending on configuration.
downloadsexpected: Grants access to the browser's download manager, allowing it to initiate and manage downloads directly from within Chrome. This is necessary for handling file transfers.
Technical: Uses Chrome's Downloads API to start or cancel downloads programmatically; can also retrieve metadata about ongoing or completed downloads.
nativeMessagingexpected: Enables communication between the browser extension and a local application (in this case, Xunlei). This is required for integrating with desktop software.
Technical: Uses Chrome's Native Messaging API to send messages to an external native app installed on the user’s machine. Communication occurs through named pipes or sockets; requires installation of a helper binary.
storageexpected: Allows the extension to store data locally in the browser, such as settings or preferences. This helps maintain user-specific configurations between sessions.
Technical: Uses Chrome's Storage API (sync/local) for persisting configuration values like enabled features, last-used options, or cached site lists.
scriptingexpected: Permits the extension to inject JavaScript into web pages. This is used to modify page behavior or extract data from specific sites.
Technical: Uses Chrome's Scripting API to dynamically inject scripts into tabs, which may allow manipulation of DOM elements or execution of code on target domains.
notificationsexpected: Enables the extension to show pop-up notifications in the browser. These are typically used for alerts, status updates, or user actions.
Technical: Uses Chrome's Notifications API to display messages; can include clickable content and custom icons but does not access sensitive data directly.
<all_urls>expected: Grants broad access to all websites, meaning the extension can run on any page. This is necessary for intercepting downloads across various domains.
Technical: Allows full control over every URL visited in Chrome; enables injection of content scripts and interception of requests from any domain without restriction.
http://*/*expected: Gives permission to access all HTTP websites. This is needed for monitoring download requests on non-secure sites.
Technical: Permits interception of unencrypted traffic; allows reading and modifying request headers or body content from any HTTP site, increasing attack surface if misused.
https://*/*expected: Gives permission to access all HTTPS websites. This is required for secure communication with download servers and web services.
Technical: Allows interception of encrypted traffic; provides full visibility into HTTPS requests, potentially exposing sensitive data if not handled carefully.

Your Data

The extension communicates with several Xunlei servers to manage downloads and provide updates. It also accesses cookies and sends telemetry-like information about usage patterns, though no personal data is explicitly mentioned.

Technical Details

domain
down.sandai.net
protocol
HTTPS
encryption_status
Encrypted
data_types
- cookies
- user agent strings
domain
mac.xunlei.com
protocol
HTTPS
encryption_status
Encrypted
data_types
- cookies
- session tokens
domain
www.xunlei.com
protocol
HTTPS
encryption_status
Encrypted
data_types
- cookies
- page content (for detection)
domain
api-shoulei-ssl.xunlei.com
protocol
HTTPS
encryption_status
Encrypted
data_types
- user agent
- download metadata
domain
static-xl.a.88cdn.com
protocol
HTTPS
encryption_status
Encrypted
data_types
- cookies
- tracking identifiers
domain
jsq.xunlei.com
protocol
HTTPS
encryption_status
Encrypted
data_types
- cookies
- page context data
domain
sl-m-ssl.xunlei.com
protocol
HTTPS
encryption_status
Encrypted
data_types
- cookies
- download logs
domain
misc-xl9-ssl.xunlei.com
protocol
HTTPS
encryption_status
Encrypted
data_types
- session data
- user preferences

Code Findings

Broad host permissions and unrestricted access to all websitesCritical

The extension has permission to run on every website, which means it can potentially interfere with or observe activity across the entire web.

Technical: Uses <all_urls>, http://*/*, https://*/* permissions that allow unrestricted access and injection into any page. This increases risk of unintended behavior or data exposure if misused.

💡 Common in download managers to ensure consistent interception regardless of site structure or domain.

Native messaging used for communication with local Xunlei clientCritical

The extension communicates directly with a desktop application (Xunlei), which could be exploited if the app is compromised or misconfigured.

Technical: Uses Chrome's Native Messaging API to send messages to an installed native host process. If that binary is malicious, it can execute arbitrary code on the user’s machine.

💡 Standard practice for browser extensions integrating with desktop apps; however, requires careful validation of the helper app.

Keystroke capture capabilityCritical

The extension can monitor keystrokes, which may pose a privacy risk if used inappropriately or combined with other tracking features.

Technical: Captures keyboard events via event listeners (e.g., document.addEventListener('keydown')). Could be leveraged to log sensitive input like passwords or form data.

💡 Used by some extensions for shortcuts or hotkeys, but must be carefully implemented and limited in scope.

Dynamic JavaScript importMedium

The extension loads scripts dynamically at runtime. While common, this can introduce vulnerabilities if not properly validated or sandboxed.

Technical: Uses dynamic imports (e.g., import(...)) to load modules conditionally; may increase attack surface if loaded code is untrusted or improperly sanitized.

💡 Standard in modern JS frameworks for modular loading and lazy initialization of components.

InnerHTML assignment — potential XSS vectorMedium

The extension assigns HTML content directly to DOM elements, which could allow cross-site scripting if not sanitized properly.

Technical: Assigns innerHTML values from external sources (e.g., response data or user input) without sanitization; may lead to script injection in vulnerable contexts.

💡 Common for rendering dynamic UI components but requires strict validation and escaping of inputs.

Clipboard write accessMedium

The extension can modify the clipboard, which might be used to inject malicious content or steal data if misused.

Technical: Uses Clipboard API (navigator.clipboard.writeText) to store arbitrary text; could be abused for phishing or credential theft in targeted attacks.

💡 Used by some extensions to copy links or share information, but should only operate on user-initiated actions.

Context menu creationMedium

The extension adds items to the browser context menu. While normal for functionality like download helpers, it can be misused if not carefully managed.

Technical: Creates context menus using Chrome's Context Menus API; may include actions that trigger downloads or other behaviors based on page content.

💡 Standard in extensions providing enhanced interaction with web pages and browser features.

PostMessage for cross-origin communicationMedium

The extension uses postMessage to communicate between frames or windows, which is standard but must be handled securely to prevent hijacking.

Technical: Uses window.postMessage() with target origins; if not validated properly, could allow unauthorized scripts to intercept messages or inject malicious payloads.

💡 Used for secure communication across domains in web apps and extensions when proper origin checks are enforced.

Fetch API usageInfo

The extension uses Fetch to make HTTP requests, which is a standard way of interacting with APIs or downloading resources.

Technical: Uses the Fetch API for network communication; typically used for retrieving configuration files, telemetry data, or service endpoints.

💡 Standard practice in modern web development and browser extensions for making asynchronous calls to servers.

Notifications shownInfo

The extension displays notifications, which is typical behavior for informing users of download status or updates.

Technical: Uses Chrome's Notifications API to show pop-ups; generally safe unless used in spammy or misleading ways.

💡 Commonly used by extensions to alert users about actions taken or errors encountered during operation.

Content script injection into all URLsInfo

The extension injects scripts into every page, which is necessary for detecting and managing downloads but can impact performance.

Technical: Injects content scripts via manifest's 'content_scripts' field targeting <all_urls>; may slow down browsing or interfere with site functionality if not optimized.

💡 Required by download managers to monitor all potential download triggers across the web.

Bottom Line

This extension is designed for integrating Chrome with Xunlei's desktop client and performs expected functions like redirecting downloads, managing multi-select modes, and supporting video capture. While it uses several permissions that are typical for such tools, the broad host access and native messaging capabilities raise concerns about potential misuse or exploitation if not properly secured. Users should ensure they trust both the extension developer and their installed Xunlei client before using this tool.