A Chrome extension that recovers original source files from JavaScript source maps of any React, Next.js, Vite, or Webpack-based web application.
Modern web applications bundle and minify their JavaScript before deployment. However, many production sites accidentally (or intentionally) expose source map (.map) files alongside their bundles. These files contain the original, human-readable source code.
UnmapJS automates the process of:
- Discovering all JavaScript chunk files loaded by a page (via
<script>tags, the Performance API, build manifests, and common route probing). - Detecting sourcemap references (
//# sourceMappingURL=...) inside those chunks. - Extracting the original source files from the sourcemap JSON.
- Packaging everything into a
.ziparchive for local export.
It can also run a passive background scanner (optional) on pages where you granted access, notifying you when source code is found.
- One-click analysis with live step-by-step progress
- Optional passive auto-scan on navigation with badge indicator
- Discovers chunks via HTML parsing, Performance API, and Next.js build manifests
- Optional common-path probing (login, dashboard, etc.)
- Optional
node_modulesinclusion / exclusion - Browser notification when sourcemaps are detected
- Downloads recovered source files as a structured ZIP archive
- DevTools panel — captures all page resources (JS, CSS, images, fonts, XHR) in memory and downloads them as ZIP with preserved folder structure
- Batch URL mode — navigate and save resources from a list of URLs automatically
- Fallback download — when sourcemaps have no embedded source code, automatically fetches and packages the raw JS chunks instead
- Clone or download this repository.
- Open Chrome and navigate to
chrome://extensions/. - Enable Developer mode (top-right toggle).
- Click Load unpacked and select the project folder.
To pack as a .crx file:
chrome://extensions/ → Pack Extension → select project folder
GitHub repository: https://github.com/intelseclab/unmapjs-chrome-extension
Feedback and feature requests are welcome via GitHub Issues. If UnmapJS is useful for your workflow, please consider starring the repository.
| Component | Details |
|---|---|
| Manifest | V3 |
| Background | Service Worker (background.js) |
| Source discovery | src/discovery.js |
| Analysis engine | src/engine.js |
| Passive scanner | src/scanner.js |
| Source extractor | src/extractor.js |
| HTTP fetcher | src/fetcher.js (page-context + SW, CORS bypass) |
| DevTools panel | panel.html / panel.js / panel.css |
| ZIP packaging | JSZip |
| Permission | Reason |
|---|---|
activeTab, scripting |
Inject script to collect loaded chunks and page HTML |
host_permissions (http://*/, https://*/) |
Fetch JS chunks and sourcemaps cross-origin without CORS restrictions |
tabs |
Read current tab URL; navigate tab in batch mode |
downloads, downloads.shelf |
Trigger ZIP downloads from the DevTools panel |
storage |
Persist auto-scan and notification settings locally |
notifications |
Alert when sourcemaps are found during passive scan |
- Auto-scan is off by default and only activates on navigation when enabled.
- Notification alerts are off by default.
- All data stays on your machine — nothing is sent to external servers by this extension.
- DevTools panel (
panel.html/panel.js) — captures all resources already loaded by the browser (JS, CSS, images, fonts, HTML) viachrome.devtools.inspectedWindow.getResourcesand packages them as a ZIP with full folder structure preserved. - XHR / Network capture — optional toggle in the DevTools panel hooks
chrome.devtools.network.onRequestFinishedandgetHAR()to capture live fetch/XHR responses alongside static resources. - Batch URL mode — enter a list of URLs in the DevTools panel; the extension navigates to each, captures all resources, and downloads a separate ZIP per site.
- Raw chunk fallback — when a sourcemap is found but contains no embedded
sourcesContentand referenced source files cannot be fetched, the popup automatically re-fetches and packages the raw compiled JS chunks so a download is always offered. - External source fetching — before falling back to raw chunks, the engine now attempts to resolve and fetch source files referenced by URL in the sourcemap's
sources[]array (handles relative paths and absolute URLs; skips virtual bundler paths such aswebpack:///).
host_permissionspromoted from optional to required (http://*/,https://*/) — eliminates CORS errors when fetching JS chunks and sourcemaps from third-party CDN origins.- Removed per-site runtime permission prompts; access to any HTTP/HTTPS URL is now declared in the manifest.
- Auto-scan setting renamed from "Auto scan granted sites" to "Auto scan on navigation" to reflect the updated permission model.
- Download button is disabled with a contextual explanation when no files can be recovered, and relabelled "Download JS Chunks" when the raw-chunk fallback is active.
✕ No files to downloaderror shown after a successful analysis — caused by sourcemaps with emptysourcesContent; the download button now correctly reflects what is available.
- Popup-based source map scanner with three-step analysis (chunk discovery → sourcemap detection → source extraction).
- ZIP download of recovered source files with bundler-prefix stripping and path normalisation.
- Passive background scanner with badge indicator and optional browser notifications.
- Next.js build manifest expansion and common-path probing.
This tool is intended for authorized security testing, bug bounty research, and educational purposes only. Only use it on applications you have explicit permission to test. The author is not responsible for any misuse.
MIT © 2026 UnmapJS Contributors - see LICENSE for details.