What Is Browser Extension Detection?

Paste into ChatGPT, Claude, or any LLM

On this page

Browser extension detection infers which extensions are installed by probing for the resources and side effects they expose to web pages. Extensions ship images, scripts, and stylesheets as “web-accessible resources” at predictable URLs; they also mutate the DOM (ad blockers hide elements) or inject globals. By requesting those URLs or watching for the changes, a site builds a list of installed extensions — a meaningful fingerprinting signal, and one where “none at all” looks like automation.

Probes	web_accessible_resources URLs (chrome-extension://<id>/...)
Also via	DOM mutations, injected globals, behaviour timing
Reveals	Ad blockers, password managers, automation helpers
Bot tell	A profile with zero extensions + zero history
Privacy	Extension set can be near-unique across users

Resource probing and behavioural detection

The most direct method: an extension declares web_accessible_resources in its manifest, making files reachable at chrome-extension://<extension-id>/path. A page can fetch() or load an <img> at a known ID+path; a successful load means the extension is present. Manifest V3 narrowed this with per-origin randomised UUIDs, but timing and error-message differences still leak presence in many cases.

Indirect methods watch for what an extension does: ad blockers remove elements with bait class names, password managers inject icons into form fields, and grammar checkers add overlays. A site plants bait and observes whether it is altered.

Why it matters for bot detection

For anti-bot purposes the signal cuts both ways. A real human profile usually carries a handful of common extensions (uBlock Origin, a password manager). A freshly spun headless profile carries none — which, combined with empty history and a default font set, paints a clear automation picture. Conversely, some automation frameworks inject their own helper extensions whose resources are detectable directly. The realistic profile for scraping mirrors a believable human: a small, plausible extension set rather than a sterile blank slate.

Avoiding extension tells in automation

Two things give automation away here. First, automation-specific extensions and helpers (old Selenium IDE artifacts, injected helper scripts) expose web_accessible_resources that a page can probe for with a simple image or fetch load. Second, the absence of any extension at all — no ad blocker, no password manager, none of the resource-blocking behaviour a real user's browser exhibits — is itself a weak signal that you are a clean automation profile.

The fix is to drive the browser through the DevTools Protocol rather than injected extensions, so there are no chrome-extension:// resources to fingerprint, and to let the profile look ordinarily "lived-in" rather than pristine. Tools like Camoufox and managed scraping backends aim for this middle ground: no automation-specific extensions to detect, but a realistic, coherent profile rather than an obviously empty one.

Related terms

What Is Browser Fingerprinting?

Browser fingerprinting is a technique that identifies and tracks a visitor by combining dozens of small, observable characteristics of their…

What Is Headless Browser Detection?

Headless browser detection is the set of probes anti-bot systems use to distinguish a headless or instrumented Chrome session from a real us…

What Is Anti-Bot Detection?

Anti-bot detection is the set of techniques websites use to distinguish automated traffic from human users — and to block, challenge, or thr…

What Is Behavioural Bot Detection?

Behavioural bot detection is the layer of anti-bot scoring that asks "how does this client act?" rather than "what is it?". It tracks mouse-…

What Is Fingerprint Lie Detection?

Fingerprint lie detection is the practice of verifying that the signals a browser reports are internally consistent and untampered, rather t…

What Is Favicon Fingerprinting (Supercookies)?

Favicon fingerprinting (the “Supercookie” technique) abuses the browser’s separate, long-lived favicon cache to store a persistent identifie…

What Is a Session Cookie?

A session cookie is an HTTP cookie that has no Max-Age or Expires attribute, so the browser stores it only in memory and deletes it when the…

Concept map

How Browser Extension Detection connects

The terms most directly tied to this one. Hover a node to see its neighbours, click to preview, drag to rearrange.

0 terms · 0 connections

You are here · Anti-Bot

Tools & solutions for this topic

Frequently asked questions

Did Manifest V3 kill extension detection?

It made resource-URL probing harder by randomising resource UUIDs per origin, but behavioural detection (watching DOM changes) and timing side channels still work, so the signal did not disappear.

Is having no extensions suspicious?

On its own, no. Combined with other freshly-provisioned signals — empty history, default fonts, default screen size — a completely sterile profile contributes to a bot score.

Can extension detection identify me personally?

The combination of installed extensions is often near-unique and adds meaningful entropy to a fingerprint, so yes, it contributes to cross-site identification.

Last updated: 2026-05-28