What the browser extension can and can't do

Last updated: 12 May 2026

We deliberately request the minimum permissions needed to do the job. Here's the full set, what each enables, and what we'd never request.

Requested

• storage — store your session token and recent-job IDs in chrome.storage.local. Never synced to other devices.
• tabs — read the URL of the active tab to detect whether it's a WooCommerce or Shopify store.
• activeTab — inject our floating widget only on tabs you actively click the WooScraper icon on.
• scripting — run our platform-detection script on the page you're currently viewing. Required for Manifest V3.
• host_permissions: <all_urls> — necessary so the detector can run on whichever store URL you choose to scrape. The extension only fetches additional pages from the same origin as the active tab — it never reaches across stores.

Not requested

• No cookies permission — we can't read your wp-admin or Shopify-admin sessions.
• No webRequest, no MITM-style traffic interception.
• No identity, nativeMessaging, or OAuth token bridging.
• No payment-method, authentication, or PII permissions of any kind.

What gets transmitted to our backend

1. The source URL you click "Start scrape" on.
2. Raw HTML / JSON responses fetched from that source domain (gzipped).
3. Your wooscraper.com session token, to authorize the request.

We don't transmit the contents of any other tab you happen to have open. We don't transmit your browsing history. We don't fingerprint your device.

Source code

The extension is reviewable. If you'd like to audit it, we can share the unminified WXT source on request — email security@wooscraper.com.