The Privacy Bug in My First Chrome Extension (And How to Avoid It)

Khaled Mahmud — Mon, 25 May 2026 19:23:24 +0000

Day 4 of building ReFind, and I found a bug that I'm embarrassed took me
this long to find.

My clipboard listener Chrome extension was capturing everything I copied.
Not just URLs — passwords, phone numbers, random text, partial sentences.
All of it was being sent to my webhook endpoint without any validation.

Here's how I fixed it and why this validation step should be first in
any clipboard-touching Chrome extension.

The Problem

The clipboard listener flow looked like this:

Copy event fires
Extension reads clipboard
Extension sends to webhook

Step 3 had no filter. Every copy event, every piece of content, went through.

The Fix: URL Validation Regex

I added a validation check as the absolute first step in the pipeline,
before any processing, storage, or network calls:

const URL_PATTERN = /^https?:\/\/[^\s$.?#].[^\s]*$/i;

function isValidUrl(text) {
return URL_PATTERN.test(text?.trim());
}

// In the event handler:
const clipboardText = await readClipboard();
if (!isValidUrl(clipboardText)) return; // Drop immediately

This check happens before anything else. If the content isn't a URL,
the handler returns immediately. Nothing is logged, nothing is sent,
nothing is stored. The clipboard data is discarded.

Why This Is a Privacy Issue, Not Just a Bug

An extension that captures clipboard content without validation is
functionally capturing everything the user copies. In a world where
users copy passwords, OTPs, sensitive messages, and personal information —
this is a meaningful privacy problem.

Chrome's extension permission model requires justifying clipboard access
in your store listing. An extension that uses that access broadly (capturing
everything) and narrowly describes itself (URL collector) is at risk of
policy violations, user trust issues, and justified negative reviews.

The Validation Should Be First, Not Last

The instinct when building is to "add validation later." This is the wrong
order for clipboard extensions. Validate at the earliest possible point
in the pipeline — before you do anything with the data.

If you're building something that touches the clipboard, the first line
of your handler should be a validity check that drops everything you
don't intend to process.

This one addition changes the security profile of the extension entirely

Building a Clipboard Listener Chrome Extension in Manifest V3: What I Learned the Hard Way

Khaled Mahmud — Fri, 22 May 2026 16:26:51 +0000

When I started building ReFind — a Chrome extension that captures URLs
as you copy them — I assumed the clipboard listener would be the easy part.
It wasn't. Here's what actually happened and how I solved it.

The Goal

Every time the user copies a URL (Cmd+C / Ctrl+C on a link), the extension
should silently capture it, validate it's actually a URL, and process it.
No popup interaction required. Fully automatic.

Why Background Scripts Are Tricky in MV3

Manifest V3 replaced persistent background pages with service workers.
Unlike a background page that stays alive as long as the browser is open,
a service worker can be terminated by Chrome after ~30 seconds of inactivity.

This creates a problem: if you store anything in memory (variables, state),
it can vanish between events. The fix: persist everything to
chrome.storage.local immediately.

The Clipboard Access Problem

Here's the tricky part: you can't directly access navigator.clipboard
from a service worker context. Chrome restricts clipboard access to require
an active user gesture (a click, keypress, etc.) — and service workers
don't have a DOM or event context for this.

The solution I landed on:

Listen for the copy keyboard shortcut using chrome.commands API
Inject a content script into the active tab (which has DOM access)
Have the content script read the clipboard and message the background script with the result

Content script → background script communication via chrome.runtime.sendMessage().

URL Validation

Once I had clipboard access working, I needed to filter for URLs only.
A simple regex check before processing:

const isUrl = /^https?:\/\/.+/.test(text);

This prevents capturing phone numbers, random copied text, passwords, etc.

What I'd Do Differently

If I were starting over, I'd add the URL validation earlier in the pipeline —
ideally at the content script level before sending to the background. Less
round-tripping, and it prevents unnecessary message passing.

The one thing I underestimated: the permission model in MV3 is strict and
intentionally so. Read the permission docs carefully before you assume
something will just work.

Questions? I'm happy to go deeper on any part of this.

DEV Community: Khaled Mahmud

The Privacy Bug in My First Chrome Extension (And How to Avoid It)

Building a Clipboard Listener Chrome Extension in Manifest V3: What I Learned the Hard Way