EN

← All posts

Guides

Injected JS security — what a snippet can really do

· by JustZix Team

Injected JavaScript is powerful — it runs with the full rights of the page you visit. That makes it useful and, at the same time, worth understanding. This article explains what a snippet can really do and whom to trust.

What injected JS can do

Rule code runs in the page context — it has the same access the page's own scripts do:

These are exactly the capabilities that make rules useful. But it means that running someone else's snippet runs someone else's code with those rights.

What injected JS cannot do

The trust principle — read before you paste

When importing a shared bundle, JustZix shows a warning if it contains JavaScript — and rightly so. A CSS rule will at worst break the look. A JS rule can read what you type into a form. Before you run someone else's snippet:

JustZix itself does not spy

The extension has no telemetry — it does not report which pages you visit or what you inject. The backend sees only the sync-key hash and encrypted rule bundles. The risk does not lie in the tool — it lies in the code you choose to run yourself. So write rules yourself, or run only the ones you understand.

See also

Install JustZix — and run only code you trust.

securityjavascripttrustguide

Rate this post

No ratings yet — be the first.

See also

Try it yourself

Install JustZix and paste any snippet from this article. Two minutes from zero to a working rule across all your devices.

Get JustZix

Features · How it works · Examples · Use cases