C2PA Extension Validator
NOTE: this project is a developer preview prototype; it is not meant to be used in production. One goal of the project is to incubate updates and extensions to the C2PA specifications; as such the browser validator might not be fully compliant with the current version of the specifications.
This project contains a Edge/Chrome/Firefox browser extension that can validate C2PA assets. Our goal is to provide a developer tool to
- encourage experimentation with C2PA technologies, and
- enable rapid prototyping of new C2PA features.
The extension must be side-loaded into a browser; see the setup section. The extension doesn't contain a built-it certificate trust list, these must be imported by the user; see the trust setup section.
The extension makes use of c2pa library from the Content Authenticity Initiative.
The following asset types can currently be verified by the extension:
- Image: JPEG, PNG, WEBP, AVIF, SVG
- Video: MP4
- Audio: MP3, WAV
Setup
The extension can either be downloaded from this repository or built locally.
Download instructions
Either download and unzip the last stable version (dist-chrome.zip, dist-firefox.zip) or the latest dev one from the Build Browser Extension Action CI (click the latest workflow run, and see the Artifacts section).
Build instructions
As a prerequisite, install the pnpm package manager.
Firstly, install the dependencies:
pnpm installSecondly, build the extension:
pnpm run buildThe Edge/Chrome manifest.json file is located in dist/chrome. The Firefox manifest.json file is located at dist/firefox.
Install the extension in a browser
Follow the side-loading instruction for your browser to load the extension:
To enable the extension in Firefox, you need to grant specific user permissions:
- Open the Firefox menu and select
Add-ons. - Click on the
Extensionstab. - Find the C2PA Extension Validator and click
Permissions. - Enable the
Access your data for all websitespermission.
Test the extension
Visit these pages to test the extension:
- Public test page, containing valid assets from various test issuers
- Unit test page, containing valid, untrusted, and invalid assets of different media types
- Origin test page, containing assets from project Origin publishers
Usage
Trust Setup
Users must import a list of trusted signers or add them individually as trust anchors for C2PA assets to be validated properly; the trust lists must be formatted as described here. This can be done through the Options tab of the browser extension's toolbar popup window.
Asset Validation
Note: the underlying C2PA library that does the certificate validation does not currently accept trust anchors to create complete X.509 chains; the full certificate chain must therefore be present in a C2PA manifest to be considered valid.
The extension automatically scans the current HTML page for C2PA assets and validates them. An icon representing the validation status is then overlaid on the asset:
 |
a valid asset, i.e. a well-formed C2PA manifest signed by a trusted issuer |
 |
an untrusted asset, i.e., a well-formed C2PA manifest signed by an unknown issuer |
 |
a invalid asset |
See the C2PA specification for the definition of well-formed manifests and trusted signers.
Note that untrusted warning icon is not currently specified in the C2PA UX recommendations.
Extension Limitations
The extension currently has a few limitations that will be addressed in future releases:
- Icon and overlay placement: The extension's icon and overlay may not be placed correctly on all media types or in all scenarios.
- Malicious web pages: Currently, there are limited countermeasures against web pages that would spoof, alter, or remove the extension's output.
- Accessibility: The extension's UI elements are not fully accessible.
- Conflict with other extensions: The extension may conflict with other extensions that modify the DOM or media elements. It is currently unknown which extensions may conflict with this extension.
- Partial media support: The extension currently supports only a subset of media types supported by the underlying C2PA validation library.
- Firefox compatibility: here are known issues and workarounds for Firefox:
- Popup Window Bug: Firefox has a known issue where the popup window closes immediately after opening the trust list file picker dialog, preventing the trust list from being applied. To work around this:
- Open a new tab and navigate to
about:config. - Search for
ui.popup.disable_autohideand set it totrue. Note: This change keeps the popup window open until you press the [esc] key.
- Open a new tab and navigate to
- Web Worker Script Loading: The
c2palibrary attempts to load scripts into a web worker from a blob-data URL, which Firefox blocks by default without a configurable way to allow it. A patch cofnode_modules/c2pa/dist/c2pa.esm.js:createPoolWrapperallows loading from a local extension URL instead. Ensure the patch is applied by runningpnpm install, asnpm installdoes not apply it. Be cautious when updating thec2palibrary as it may require reapplying or reconstructing the patch. - Messaging Limitations Firefox extension messaging has stricter limitations compared to Chrome/Edge. Content/injected scripts cannot directly pass messages to each other; they must route messages via the background script. This may affect functionality if you modify the extension, as messaging behavior that works in Chrome/Edge might not work in Firefox.
- Popup Window Bug: Firefox has a known issue where the popup window closes immediately after opening the trust list file picker dialog, preventing the trust list from being applied. To work around this:
Contributing
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact opencode@microsoft.com with any additional questions or comments.
Trademarks
This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.