The extension is also automatically disabled with the notice that "this extension contains a serious security vulnerability."

Does anyone know more or how to fix it?

Further input

• bhollis/jsonview#135
• https://news.ycombinator.com/item?id=12925197#12925360

Update 2016-11

I emailed @gildas-lormeau but did not hear back from him.

I switched to "JSON Viewer" now like @dan-blanchard suggested. JSON Viewer has a cleaner Issue and PR List than JSON-formatter, so I go with JSON Viewer and hope the maintainer will stay with us :).

Update 2017-02

Apparently the Chrome Extension is live again. I don't understand why and I will not use it anymore, but its there for now: https://chrome.google.com/webstore/detail/jsonview/chklaanhfefbnpoihckbnefhakgolnmc

Update 2017-02 b

See comment, #75 (comment), all is good for now.

Does this PR from 2 years ago address the issue? #49

Yep, can confirm it. Use the following page as a reproducible test case when JSONView is enabled.

The gist file being served can be found here (in safe form): https://gist.github.com/MattRyder/f356b402f696f147943907eb8a3859e5

I've been getting some questions on my (unrelated & unpublished) jsonview-chrome repository, https://github.com/jamiew/jsonview-chrome

Has anyone stepped up to fix things in this repo + republish yet?

There are alternative extensions that seem to be just as nice (if not nicer):

• JSON Formatter
• JSON Viewer

Yep, there are actually several different UXSS issues in JSONView-for-Chrome's master.

• One @joevennix reported in the autolinking code #49
• One found by a Chinese security researcher in the JSONP handling http://blog.knownsec.com/2016/04/%E6%98%8E%E6%9E%AA%E6%98%93%E8%BA%B2%E6%9A%97%E7%AE%AD%E9%9A%BE%E9%98%B2-jsonview-0day/
• Another UXSS I privately reported to the maintainer / Google along with a patchset. This issue allowed more-or-less complete Same-Origin policy bypass because it abused an eval() in the content script. The maintainer didn't respond so Google removed the extension.

If someone wants to take ownership of a fork, this patchset should fix all three issues.

@dan-blanchard They don't work the way JSON View did.

Which feature(s) are those 2 that @dan-blanchard listed missing?

Yeah, I've found JSON Viewer to be a lot nicer than JSONView.

Main thing I miss from old JSONView is the ability to see the path in the status bar, and easily copy the path or value via right-click.

I now switch between using JSON Formatter and JSON Viewer, but far as I can tell neither offer that old beloved feature.

I've also mentioned this on the existing JSON Viewer feature request here: tulios/json-viewer#67 (comment)

@alahosky I think you should post this as a feature request on one or both of the other plugins github repos, so they can think about adding it.
Btw, ATM https://chrome.google.com/webstore/detail/jsonview/chklaanhfefbnpoihckbnefhakgolnmc ist live again – don't know why.

@tordans The maintainer applied the patchset from #76 and re-listed the extension in January, not sure why the repo isn't up to date.

@JordanMilne Thanks. This could all go so much more smoothly, but well… :-)

Yup @tordans ... I've also mentioned this on the existing JSON Viewer feature request here: tulios/json-viewer#67 (comment)

Feel free to vote for it over there :)