Save as PDF
π Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Lets you download web pages as PDF in one click, making it easy for anyone to capture and save online content for later reference or sharing. Ideal for students, researchers, and professionals who need to preserve digital information, Save As Pdf simplifies the process of saving web pages to a single file. With over 300,000 users, this extension has proven itself as a convenient solution for those looking to save the web in a more organized format.
Overview
This add-on allows you to easily save web pages as PDF. It adds an icon to your browser's toolbar, which you can click to save the current page as PDF. The add-on is powered by the PDFCrowd HTML to PDF online service.
*Please note* that for security reasons, it is not possible to create PDFs from pages that require a login, such as your webmail inbox, online banking, shopping cart contents, payment checkouts, and similar sites.
Learn more about how the add-on works at https://pdfcrowd.com/save-as-pdf-addon/
If you need support or have suggestions, please visit https://pdfcrowd.com/contact/.
Tags
Privacy Practices
Security Analysis
Permissions
Code Patterns Detected
External Connections
Package Contents 26 files Β· 60KB
What This Extension Does
This extension saves web pages as PDFs using an online service and adds a toolbar button for easy access.
Permissions
- tabsexpected: Lets the extension see which webpage you're viewing, so it knows what to save when you click the button.
- storageexpected: Allows the extension to save settings or preferences locally in your browser, like whether to open PDFs automatically after saving.
- downloadsexpected: Enables the extension to save files directly to your computerβs download folder without asking permission each time.
Your Data
The extension sends web page content to PDFCrowd's online service for conversion into a PDF. It may also transmit browsing context and metadata about the saved pages.
Code Findings
The extension uses a method that can potentially insert unsafe code into the page if it receives untrusted input, which could allow attackers to run harmful scripts.
π‘ Common in extensions that dynamically render HTML elements based on runtime data.
Trustworthiness
- Developer: Developer name is not listed in the extension metadata, making it difficult to verify identity or track support history.
- Privacy Policy: No explicit privacy policy linked from Chrome Web Store listing. The developer's description mentions PDFCrowd as a third-party service but doesn't clarify what data they collect or how itβs handled beyond basic page content.
- Install Base: Installed by 300,000 users with no recent updates noted in scan data. Indicates long-standing presence but not necessarily active maintenance.
Nothing in this scan suggests behavior beyond what is needed for saving web pages as PDFs. However, the lack of a visible developer identity and absence of a privacy policy raise questions about transparency.
Extension Overview
This extension saves web pages as PDFs using an online service and adds a toolbar button for easy access.
Permissions
- tabsexpected: Exposes Chrome's tabs API allowing read and modify access to tab information including URL, title, and active state. An attacker with this permission could monitor or manipulate browsing sessions across sites.
- storageexpected: Grants access to Chrome's storage API for persistent key-value data. Could be used to store user preferences, session tokens, or tracking identifiers if misused.
- downloadsexpected: Provides access to Chrome's downloads API, allowing file creation and management in user-specified locations. If misused, could lead to unauthorized file writes or data exfiltration via download triggers.
Data Exposure (Technical)
Connects to https://pdfcrowd.com/ which receives HTML content, cookies (if present), and possibly authentication tokens depending on how it handles login-protected pages. Uses HTTP(S) protocols but does not specify encryption details for data in transit beyond standard TLS.
Code Findings
Detected use of innerHTML in background script context. This pattern is often used for dynamic UI updates but poses XSS risk when content comes from external sources or user inputs. In this case, no clear evidence that the source is attacker-controlled; however, it's a potential vector if future code changes introduce such behavior.
π‘ Common in extensions that dynamically render HTML elements based on runtime data.
Code Analysis
- Obfuscation: Standard minification observed. No heavy obfuscation techniques like string encoding or control flow flattening detected.
- Content Security Policy: Content Security Policy is not set, meaning the extension does not enforce restrictions on script execution or inline code loading.
- Architecture: Uses Manifest V3 with a background service worker and no content scripts. The architecture implies minimal interaction with page DOM but relies heavily on tab APIs for navigation awareness.
Transparency
- Developer: Developer name is not listed in the extension metadata, making it difficult to verify identity or track support history.
- Privacy Policy: No explicit privacy policy linked from Chrome Web Store listing. The developer's description mentions PDFCrowd as a third-party service but doesn't clarify what data they collect or how itβs handled beyond basic page content.
- Code Visibility: Code appears bundled and minified, limiting independent auditability by external parties without access to source repositories.
- Install Base: Installed by 300,000 users with no recent updates noted in scan data. Indicates long-standing presence but not necessarily active maintenance.
The extension exposes moderate attack surface through tab, storage, and download permissions aligned with its stated purpose. The medium-severity innerHTML assignment in background script is concerning due to potential XSS implications if input sources change. CSP absence increases risk exposure; researchers should manually inspect the codebase for insecure practices or hidden functionality beyond what's described.