In April 2026, a widely-used color picker extension — Featured on the Chrome Web Store, 400,000+ users — was caught collecting and transmitting users' visited URLs and referrer data to a remote server (PiunikaWeb, April 2026). Not suspected of it — a researcher diffed the extension's code between versions and showed the tracking being added. The extension was still Featured when this story ran.
That is not a hypothetical about what browser extensions could do. It happened. It was reported. And it illustrates the problem with color pickers specifically: they're small, trusted, always-on tools that you install once and forget about. Which makes them attractive targets for abuse.
After reading that story, I looked for an alternative I could actually verify. I couldn't find one I was confident about — so I built one.
One permission. Here's the manifest
"permissions": ["storage"]
That's it. One permission. storage keeps your local palette between sessions. There is no tabs permission, no activeTab, no <all_urls>, no host permissions for ad networks or analytics providers.
There is one host permission — https://api.lemonsqueezy.com/* — for license validation on the paid tier. That call goes out when you activate a paid license key. It verifies the key. It does not send browsing history, installed extensions, tab URLs, or anything about what you're doing. The free eyedropper works with no network calls at all.
You can verify this yourself. In Chrome: chrome://extensions → Details on any extension → "Site access" and "Permissions." Cross-check the source. This is what I'd want from any extension I'm running constantly in my browser.
How the eyedropper actually works
The extension uses the browser's native EyeDropper API (window.EyeDropper), available in Chrome 95+ and part of the W3C spec. Here's the full flow:
const eyeDropper = new EyeDropper();
const result = await eyeDropper.open();
// result.sRGBHex — that's the entire data surface
When you click the eyedropper button, the browser takes over screen capture — not the extension. The extension receives a single hex value when you click a pixel. It does not take screenshots. It does not maintain persistent access to what's on your screen. It cannot see what tab you're on or what page you're reading.
This is not a design choice I made. It's how the API works. The browser sandboxes screen access to the moment of selection and hands the extension only the result.
What happens after you pick a color:
- The hex value is displayed in the popup
- It's added to a local palette stored in
chrome.storage.local— your browser's own storage, not a server - A WCAG contrast check runs against your palette entries using the relative luminance formula (WCAG 2.1 §1.4.3)
What does not happen:
- No network requests during normal use
- No analytics SDK
- No account system
- No background service worker running while you're not using the popup
- No access to page content, tab URLs, or browsing history
The WCAG contrast checker
This was the feature I kept not finding in alternatives. When you're picking colors for a UI, you need to know whether a foreground/background pair meets WCAG AA (4.5:1 for normal text, 3:1 for large text). The extension calculates this inline as you build your palette — no external call, just the relative luminance formula over two hex values.
L = 0.2126 * R + 0.7152 * G + 0.0722 * B
contrast = (L1 + 0.05) / (L2 + 0.05)
It tells you pass/fail at both thresholds as you work. Useful if you're picking brand colors, building design tokens, or checking a client's palette for accessibility compliance.
What I'm launching
The extension is live on the Chrome Web Store: mmdnjjpnigidljigfkjohldlipdkaomp.
The basic eyedropper is free. The paid features — export (PNG, JSON, CSS custom properties) and image palette extraction — unlock for $9 one-time. No subscription. License tied to your browser via Lemon Squeezy, which is the one outbound call mentioned above.
Demand page with install link and details: colorpicker.hudsonenterprisesllc.com
On the permission question
If you're currently using a color picker extension, open chrome://extensions, find it, and look at "Permissions" and "Site access." Extensions with tabs permission can read your open tab URLs. Extensions with <all_urls> or broad host permissions can inject scripts into every page you load. Permissions don't expose what an extension does with that access — only what it's allowed to do. Network calls happen within whatever access the extension already has.
Worth knowing. I'm not saying any specific extension you're using is doing something wrong. I'm saying the April 2026 incident was real, the risk is structural, and the minimum-permission approach I took here is verifiable.
Built by Hudson Enterprises LLC. Questions: support@hudsonenterprisesllc.com
I built this and the demand page linked above is mine.
Top comments (1)
How did you handle color palette storage with only the storage permission, did you use localStorage or something else? I'd love to swap ideas on building similar extensions, what inspired you to create this?