Security
Our commitment to keeping your data safe.
Security Philosophy
TrackBlock follows a zero-trust architecture by design. We believe the most secure way to protect user data is to never have access to it in the first place. Every decision in TrackBlock's design starts from this principle.
Local Processing
All tracker analysis occurs entirely within your browser. TrackBlock never sends email content, tracking data, or any information to external servers. The extension operates as a fully self-contained analysis engine that runs locally on your device.
Permission Model
TrackBlock requests only the minimum permissions necessary to function:
Minimal Scope
The extension only activates on email provider domains (Gmail). It does not request broad host access or read data on arbitrary websites.
No Network Access
TrackBlock does not make external network requests for its core functionality. The extension can identify and block trackers without contacting any server.
Extension Security
TrackBlock follows Chrome extension security best practices:
- Content Security Policy (CSP) is enforced to prevent XSS attacks
- All extension code is static and reviewed before release
- No remote code execution — all logic is bundled with the extension
- Isolated world execution prevents interference from page scripts
- Regular updates to address any discovered vulnerabilities
Data Protection
Since TrackBlock does not collect or transmit data, traditional data protection concerns around storage, encryption, and transmission are inherently addressed. What little data exists (your preferences) stays in your browser's local storage, under your full control.
Responsible Disclosure
If you discover a security vulnerability in TrackBlock, please report it responsibly. We will investigate and address verified vulnerabilities promptly. We ask that you:
- Share details privately with our security contact
- Allow reasonable time for investigation and remediation
- Act in good faith to protect user privacy and security