Labvanced Web Bridge Extension — Privacy Policy

This privacy policy describes the data practices of the Labvanced Web Bridge browser extension, a companion tool for the Labvanced experiment platform (labvanced.com).

Data Collection

When activated by a research study on labvanced.com, this extension collects the following data from websites embedded in the Labvanced experiment player:

  • Element coordinates (bounding-box position and size) of researcher-selected website elements
  • Mouse interaction data: click positions, hover events, and mouse movement coordinates
  • Element descriptions and visible text snippets (truncated to 50 characters)
  • Page scroll positions
  • The current page URL within the embedded iframe

This data is collected solely for the purpose of conducting UX research experiments within the Labvanced platform.

When Not Active

The extension’s content scripts are injected into all iframes but exit immediately unless location.ancestorOrigins confirms that labvanced.com is an ancestor frame. On non-Labvanced pages, no listeners are installed, no DOM is read, and no data flows.

Iframe header modification (removal of X-Frame-Options and Content-Security-Policy from sub-frame responses) is scoped to tabs whose top-level URL is labvanced.com via tab-specific declarativeNetRequest session rules. Other tabs and top-level page loads are never affected. Session rules live in memory only and do not persist across browser restarts.

Data Flow

All collected data is transmitted exclusively to the embedding labvanced.com page via the browser’s postMessage API. No data is sent to external servers by the extension. No data is stored locally by the extension. The extension makes no outbound network requests of its own.

Permissions

The extension requires broad host permissions (<all_urls>) because researchers may embed any website in their experiments and the target domains cannot be predicted in advance. All functionality is scoped to labvanced.com at runtime through:

  • Ancestor origin checks (location.ancestorOrigins, fail-closed)
  • postMessage origin validation (exact hostname match via URL parsing)
  • Message source pinning (event.source === window.parent)
  • Iframe-only guards (scripts exit in top-level frames)
  • Tab-scoped declarativeNetRequest session rules (header modification only in labvanced.com tabs)

Third Parties

No data collected by the extension is transferred to third parties. The extension does not use any remotely hosted code, analytics, or tracking services.

Contact

For questions about this extension or its data practices, please contact [email protected].

 

← Back to main Privacy Policy