Salesforce FLS Comparator Expanded sɣur Jacob Crandall
Compare Salesforce Field Level Security settings across fields and orgs
Yella ɣef Firefox i Android™Yella ɣef Firefox i Android™
1 useqdac1 useqdac
Scan the QR code to open this extension in Firefox for Android
Asiɣzef aɣefisefka
Tuṭṭfiwin n wegdil
Tisirag akked yisefka
Yesra tisirag:
- Kcem γer icarren n iminig
- Kcem ɣer yisefka-ik n i yismal di salesforce.com n taɣult
- Kcem ɣer yisefka-ik n i yismal di lightning.force.com n taɣult
- Kcem ɣer yisefka-ik n i yismal di my.salesforce.com n taɣult
- Kcem ɣer yisefka-ik n i yismal di sandbox.my.salesforce.com n taɣult
- Kcem ɣer yisefka-ik n i yismal di develop.my.salesforce.com n taɣult
- Kcem ɣer yisefka-ik n i yismal di salesforce-setup.com n taɣult
- Kcem ɣer yisefka-ik n i yismal di my.salesforce-setup.com n taɣult
- Kcem ɣer yisefka-ik n i yismal di sandbox.my.salesforce-setup.com n taɣult
Alqaḍ n yisefka:
- Aneflay yenna-d asiɣzef-a ur yeḥwaǧ ara alqaḍ n yisefka.
Ugar n telɣut
- TigIseɣwan n uzegrir
- Lqem
- 1.0.5
- Teɣzi
- 166,6 KB
- Aleqqem aneggaru
- një muaj më parë (11 Qer 2026)
- Taggayin i ilan assaɣ
- Turagt
- Turagt IT
- Amazray n Lqem
- Rnu ar tegrumma
PERMISSIONS
storage — persists FLS snapshots and apply-history in browser.storage.local only. Nothing is sent remotely.
tabs — identifies which tab holds an active Salesforce session to retrieve the correct instance URL.
cookies — Salesforce marks its session token ("sid") HttpOnly, so document.cookie in a content script cannot read it. The background service worker reads it via browser.cookies.get() on the Salesforce host, uses it as a Bearer token for REST/Tooling API calls back to that same org, and never stores or transmits it elsewhere.
host_permissions (.salesforce.com, .lightning.force.com, .my.salesforce.com, .sandbox.my.salesforce.com, .develop.my.salesforce.com, .salesforce-setup.com variants) — required for the background worker to make authenticated fetch() calls to the Salesforce REST and Tooling APIs. The wildcard is necessary because orgs use unpredictable customer-specific subdomains.
CONTENT SCRIPT
salesforce-bridge.content.ts runs on Salesforce domains only. It detects Set Field-Level Security pages via URL pattern and injects a launch button. It reads nothing beyond what is already in the page URL. The background worker rejects any message from a content script whose sender tab is not a recognised Salesforce hostname.
HOW TO TEST
Requires a free Salesforce Developer Edition org (developer.salesforce.com/signup).
1. Open any page in the org after logging in.
2. Open the FLS Comparator sidebar (View → Sidebar → FLS Comparator).
3. Select an object (e.g. Contact) and field (e.g. Email), then click Fetch FLS.
4. The table shows Read/Edit access for every Profile and Permission Set in the org.
No eval(), no remote scripts, no telemetry. All network traffic goes only to the user's own Salesforce org.