Canvas
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Canvas+ is a free Chrome Browser extension that improves the experience of students using Canvas. Everything you could need, from color themes, to navigation shortcuts, to improved performance.
The extension has an easy-to-use settings menu, and all of our features are toggle-able.
You have a full suite of appearance settings, including dark and dim mode, custom link colors, and custom sidebar colors and layouts.
Quick Inbox opens a popup on the left side of the page, allowing you to check previews of your emails without reloading the page and possibly losing what you were working on.
If enabled, the Speed Boost feature will preload links while you're idling, resulting in much faster loading speeds of 2x or 4x on struggling connections.
A feature to improve navigation is the search box. The search box can be enabled with Control+K (Command+K on Mac) or with a sidebar button and allows you to search all of your courses for pages and module items.
Rounder Modules does just as the name says, it makes canvas modules rounder.
If the "Smart Scrolling" setting is enabled, you'll see "Scroll to Bottom" and "Back to Top" buttons on pages, discussions, and modules/assignment lists.
This can greatly speed up navigating a course with hundreds of modules.
You can see more features that are being worked on at https://github.com/canvasplus/extension . This project is open source.
The website for Canvas+ is currently https://canvasplus.org/ . This website serves as a hub for FAQ and announcements.
Tags
Privacy Practices
Security Analysis — Canvas
Permissions
Code Patterns Detected
External Connections
Package Contents 58 files · 1.7MB
What This Extension Does
This extension enhances the Canvas learning platform with custom themes, navigation shortcuts, and performance improvements.
Permissions
- *://*.instructure.com/*expected: This permission allows the extension to modify and interact with all pages on the Canvas learning management system. Users should care because it gives access to their course data and communications within Canvas.
- storageexpected: This permission lets the extension save your settings locally on your computer so they persist between sessions. Users should know this is standard for extensions that remember preferences.
Your Data
The extension can read your Canvas activity and may send some information to external services, including its own website and third-party libraries. It does not appear to transmit sensitive data directly from Canvas unless explicitly enabled by the user.
Code Findings
The extension uses a method that can insert HTML directly into web pages. While this is often safe, it could allow attackers to inject harmful code if the content comes from an untrusted source.
💡 Commonly found in extensions that dynamically render content based on settings or preferences, especially those involving rich text or HTML formatting.
The extension listens for keyboard shortcuts like Control+K. While useful for navigation, this could potentially capture keystrokes including sensitive information if not handled carefully.
💡 Standard for extensions providing shortcut-based navigation and quick actions.
The extension may be sending data to external servers. This is not inherently malicious, but could indicate tracking or telemetry behavior that users might want to monitor.
Trustworthiness
- Developer: Developer name is not specified in the scan data or manifest file.
- Privacy Policy: No privacy policy was found in the extension metadata or listed on canvasplus.org. This raises questions about how user data may be handled.
- Install Base: Installed by 70,000 users with no recent updates noted in scan — suggests long-standing presence but limited maintenance activity.
This extension appears consistent with its stated purpose of improving Canvas usability, but the lack of a privacy policy and absence of Content Security Policy raise concerns about data handling practices. Users should review their settings carefully and consider disabling features that collect or transmit personal information.
Extension Overview
This extension enhances the Canvas learning platform with custom themes, navigation shortcuts, and performance improvements.
Permissions
- *://*.instructure.com/*expected: Grants broad read/write access to any page under *.instructure.com, including course content, messages, grades, and user interactions. An attacker could potentially extract or alter sensitive academic information if the extension were compromised.
- storageexpected: Allows access to Chrome's storage API, enabling persistent configuration and user preference management. Could be used to store sensitive data like login tokens or personal notes if misused by a compromised extension.
Data Exposure (Technical)
Connects to domains such as canvasplus.org (for updates or analytics), www.w3.org (likely for web standards validation), reactjs.org (possibly for UI rendering), fb.me, scorecardgrades.com, twemoji.twitter.com, emojipedia-us.s3.dualstack.us-west-1.amazonaws.com, and others. Data transmission includes potentially user-specific identifiers or usage patterns but no explicit mention of sending page content or auth tokens.
Code Findings
Detected use of innerHTML assignment in content scripts which may be vulnerable to cross-site scripting (XSS) attacks if input values are not sanitized before insertion into DOM elements. This pattern is typically used for dynamic UI updates but can become a security risk when handling user-provided or remote data.
💡 Commonly found in extensions that dynamically render content based on settings or preferences, especially those involving rich text or HTML formatting.
Extension registers a global keydown listener that captures all keyboard events across the page. If combined with other features (e.g., search box), it may record typed input or commands, raising potential privacy concerns around data collection without explicit user awareness.
💡 Standard for extensions providing shortcut-based navigation and quick actions.
Code includes patterns consistent with data exfiltration (e.g., HTTP requests to third-party domains). These are often used for analytics or crash reporting; however, without clear opt-in mechanisms or transparency about what is being sent, they raise concerns regarding user privacy and intent.
Code Analysis
- Obfuscation: Standard minification observed. No heavy obfuscation techniques like control flow flattening or string encoding detected.
- Content Security Policy: Content Security Policy not set in manifest or headers — this is a significant concern as it leaves the extension vulnerable to XSS and other injection attacks due to lack of restrictions on script execution.
- Architecture: Uses Manifest V3 architecture with background service worker, content scripts injected into specific Canvas URLs. Content scripts are active across most course pages and quiz-taking contexts, indicating broad scope for interaction.
Transparency
- Developer: Developer name is not specified in the scan data or manifest file.
- Privacy Policy: No privacy policy was found in the extension metadata or listed on canvasplus.org. This raises questions about how user data may be handled.
- Code Visibility: Source code appears to be bundled and minified, making independent auditing difficult without access to original source files.
- Install Base: Installed by 70,000 users with no recent updates noted in scan — suggests long-standing presence but limited maintenance activity.
The extension exposes high-risk attack surface through global keyboard listeners and potential XSS via innerHTML assignments, compounded by missing CSP headers which leave it vulnerable to injection attacks. The lack of a privacy policy and developer identification reduces trustworthiness. Researchers should manually verify whether keystroke logging occurs in practice and confirm if any telemetry is being sent without user consent.
