Browser extension to validate C2PA digital assets
MIT License
NOTE: this project is a developer preview prototype; it is not meant to be used in production. One goal of the project is to incubate updates and extensions to the C2PA specifications; as such the browser validator might not be fully compliant with the current version of the specifications.
This project contains a Edge/Chrome/Firefox browser extension that can validate C2PA assets. Our goal is to provide a developer tool to
The extension must be side-loaded into a browser; see the setup section. The extension doesn't contain a built-it certificate trust list, these must be imported by the user; see the trust setup section.
The extension makes use of c2pa library from the Content Authenticity Initiative.
The following asset types can currently be verified by the extension:
The extension can either be downloaded from this repository or built locally.
Either download and unzip the last stable version (dist-chrome.zip, dist-firefox.zip) or the latest dev one from the Build Browser Extension Action CI (click the latest workflow run, and see the Artifacts section).
As a prerequisite, install the pnpm package manager.
Firstly, install the dependencies:
pnpm install
Secondly, build the extension:
pnpm run build
The Edge/Chrome manifest.json
file is located in dist/chrome
. The Firefox manifest.json
file is located at dist/firefox
.
Follow the side-loading instruction for your browser to load the extension:
To enable the extension in Firefox, you need to grant specific user permissions:
Add-ons
.Extensions
tab.Permissions
.Access your data for all websites
permission.Visit these pages to test the extension:
Users must import a list of trusted signers or add them individually as trust anchors for C2PA assets to be validated properly; the trust lists must be formatted as described here. This can be done through the Options
tab of the browser extension's toolbar popup window.
Note: the underlying C2PA library that does the certificate validation does not currently accept trust anchors to create complete X.509 chains; the full certificate chain must therefore be present in a C2PA manifest to be considered valid.
The extension automatically scans the current HTML page for C2PA assets and validates them. An icon representing the validation status is then overlaid on the asset:
a valid asset, i.e. a well-formed C2PA manifest signed by a trusted issuer | |
an untrusted asset, i.e., a well-formed C2PA manifest signed by an unknown issuer | |
a invalid asset |
See the C2PA specification for the definition of well-formed manifests and trusted signers.
Note that untrusted warning icon is not currently specified in the C2PA UX recommendations.
The extension currently has a few limitations that will be addressed in future releases:
about:config
.ui.popup.disable_autohide
and set it to true
. Note: This change keeps the popup window open until you press the [esc] key.c2pa
library attempts to load scripts into a web worker from a blob-data URL, which Firefox blocks by default without a configurable way to allow it. A patch cof node_modules/c2pa/dist/c2pa.esm.js:createPoolWrapper
allows loading from a local extension URL instead. Ensure the patch is applied by running pnpm install
, as npm install
does not apply it. Be cautious when updating the c2pa
library as it may require reapplying or reconstructing the patch.This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.