[penagwin]

Detection is always a cat and mouse game. Using an extension in a real browser (instead of electron/headless chrome) is probably one of the hardest to detect because it requires running a "real" browser.

Of course somebody will find a way to detect it, then the extension maker will patch it, and the cycle will continue.

[mmcwilliams]

Correct me if I’m wrong, but is it not still as simple as knowing the “chrome-extension://“ unique id of the extension? I’m aware of the cat and mouse aspect of scraping and that was one of the pitfalls I’ve been wary of as a fingerprinting vector.

[SquareWheel]

I'd be surprised if sites had permission to read a chrome-extension:// URL. That'd be a sizable privacy leak.

[mmcwilliams]

I'm not sure about the chrome-extension protocol, but this API still seems to be present: https://developer.chrome.com/extensions/runtime#method-sendM...

[penagwin]

I just tested in chrome 77, and I could only do `chrome.runtime.sendMessage("clngdbkpkpeebahjckkjfobafhncgmne", {},{},console.log)` from within the Stylus extension page, not from an external page like hacker news.