Anti-Bot

What Is Browser Extension Detection?

By the Scrappey Research Team

What Is Browser Extension Detection? — conceptual illustration
On this page

Browser extension detection infers which extensions are installed by probing for the resources and side effects they expose to web pages. Extensions are the add-ons you install in your browser - ad blockers, password managers, and so on. Each one ships its own images, scripts, and stylesheets as "web-accessible resources" sitting at predictable URLs, and many also change the page: ad blockers hide elements, others inject globals (variables the extension adds to the page). By requesting those URLs or watching for those changes, a website can build a list of which extensions you have. That list is a useful fingerprinting signal - and, oddly, having no extensions at all is itself a clue that you might be an automated browser.

Quick facts

Probesweb_accessible_resources URLs (chrome-extension://<id>/...)
Also viaDOM mutations, injected globals, behaviour timing
RevealsAd blockers, password managers, automation helpers
Bot tellA profile with zero extensions + zero history
PrivacyExtension set can be near-unique across users

Resource probing and behavioural detection

The most direct method targets those shipped files. An extension lists files as web_accessible_resources in its manifest (its config file), which makes them reachable at a fixed address: chrome-extension://<extension-id>/path. Every extension has a stable ID, so a page can try to fetch() or load an <img> at a known ID and path - if it loads, the extension is installed. Manifest V3 (the newer extension format) made this harder by giving each origin a randomised UUID instead of a fixed ID, but small differences in timing and error messages still leak an extension's presence in many cases.

Indirect methods watch for what an extension does rather than what it ships: ad blockers remove elements with bait class names, password managers inject icons into form fields, and grammar checkers add overlays. A site plants bait and watches whether it gets altered, the way you might leave a marked item out to see if someone touches it.

Why it matters for bot detection

For anti-bot purposes the signal cuts both ways. A real human profile usually carries a handful of common extensions (uBlock Origin, a password manager). A freshly spun headless profile - a browser launched with no visible window and a blank slate - carries none, which, combined with empty history and a default font set, paints a clear automation picture. Conversely, some automation frameworks inject their own helper extensions whose resources are detectable directly. The realistic profile for scraping mirrors a believable human: a small, plausible extension set rather than a sterile blank slate.

Avoiding extension tells in automation

Two things give automation away here. First, automation-specific extensions and helpers (old Selenium IDE artifacts, injected helper scripts) expose web_accessible_resources that a page can probe for with a simple image or fetch load. Second, the absence of any extension at all - no ad blocker, no password manager, none of the resource-blocking behaviour a real user's browser exhibits - is itself a weak signal that you are a clean automation profile.

The fix is to drive the browser through the DevTools Protocol (Chrome's built-in remote-control interface) rather than injected extensions, so there are no chrome-extension:// resources to fingerprint, and to let the profile look ordinarily "lived-in" rather than pristine. Tools like Camoufox and managed scraping backends aim for this middle ground: no automation-specific extensions to detect, but a realistic, coherent profile rather than an obviously empty one.

Related terms

Concept map

How Browser Extension Detection connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections
You are here · Anti-Bot
Building map…

Frequently asked questions

Did Manifest V3 kill extension detection?

No. It made resource-URL probing harder by randomising each extension's resource UUIDs per origin, so a page can no longer just request a fixed ID. But behavioural detection (watching for the DOM changes an extension makes) and timing side channels still work, so the signal did not disappear.

Is having no extensions suspicious?

On its own, no. But most real browsers carry at least one extension, so a completely empty set stands out. Combined with other freshly-provisioned signals - empty history, default fonts, default screen size - a totally sterile profile contributes to a bot score.

Can extension detection identify me personally?

Yes, it can contribute. The specific combination of extensions you have installed is often near-unique, so it adds meaningful entropy (identifying detail) to your fingerprint and helps track you across sites.

Last updated: 2026-05-31