BuboFlash home

Chrome/Chromium Web Extension

Annotations in Tabs - Browsing Privacy

Short descriptoin

  1. When Annotations in Tabs is disabled, no browsing information is sent to Buboflash server. The browser action icon is crossed: .
  2. When Annotations in Tabs is enabled (the browser action icon is not crossed: ), the following data is transmitted to Buboflash server:
    1. Every URL you open is sent to Buboflash server and it checks if a page with this URL is annotated already and if it has tags.
      1. If it is annotated or it has tags, annotations and tags are sent from the server to the browser (the server does not need see the content of the page).
    2. if you create an annotation on a website, the fragment of the content of your tab is sent to Buboflash to associate your annotation with it.
    3. Reading points are processed in exactly the same way
  3. As a consequence of the points above, you are safe if even you open a page with sensitive information (e.g. your bank account) with Buboflash Chrome Web Extension enabled, as all the Buboflash server will receive will be the URL, not actual page content - even if somebody mailiciously adds an annotation to a page with this URL - don't panic.
  4. Annotations settings in Chrome Web Extensions are stored in the browser itself, not on Buboflash server in your account, meaning you can have the plugin enabled in one browser and disabled in another.
  5. I suggest you do not enable install and Buboflash Chrome Web Extension at work or school - it is almost certainly against corporate policy to send URLs you browse to external servers, you may risk buboflash.eu being blocked by corporate firewall admin. If you want to learn something at work, I suggest you do it directly in buboflash.eu website, not in Chrome Web Extension.

Details (as submitted on Google page)

Single purpose

  1. Annotating and taking snippets from websites for learning. Annotations can be converted to flashcards.
  2. Setting reading points on webpages to mark reading progress.
Annotations, flashcards and reading schedule is managed by https://buboflash.eu backend service, which I authored as well.

Permission justification


The extension injects content script that allows user to annotate the websites and displays previously made annotations on mouse hover. Text with annotations is highlighted in the website.

The content script is injected only if "Annotations in tabs" checkbox is enabled. Users can enable/disable annotations functionality in the popup. If disabled, there is no content script and, it will leave only generic learning summary from the server, with no connection to the page being browsed.

It is explained in https://buboflash.eu/bubo5/tal-static-fullscreen-forall/annotations-privacy (next to the checkbox in the popup) The linked "annotations-privacy" text also discourages enabling it at work, suggesting using the https://buboflash.eu directly instead.


Annotations and flashcards are created by selecting text in a website and right clicking, then choosing a menu item: "create annotation", "create flashcard". Reading point is set in the same way.


Extension settings are stored locally, like: show "Annotations in tabs" (yes/no - they are shown as highlighted passage if "yes"), and for how long to show annotations when mouse hovers over annotated passage.


The extension has to access to:

  1. the tab URL to check if a website already has annotations (server query)
  2. the tab content in the browser to attach existing annotations and reading points retrieved from the server to text passages on the website displayed (local processing)
  3. a fragment that is selected to send it to the server when new annotation is created
If "Annotations in tabs" is unchecked, the extension does not touch the tabs.


The extension listens to https://buboflash.eu/bubo5/logout to know when the user logs out of the backend server. If the user logs out, the extension stops injecting anything into tabs.

Host permission

when user enables annotations in webpages, and the backend server confirms a page loaded into a tab can be annotated, a content script is dynamically injected into the tab, so (1) existing annotations retrieved from the backend service can be injected into the text (highilighted text passage + popup on hover) and (2) context menu to create new annotations.

Are you using remote code?

No, I am not using remote code