📖 Reference

Permissions requested

activeTab

Why: Allows XTagger to communicate between the popup and the currently active X.com tab — for example, when you open the tag editor from the popup for a specific user.

What it cannot do: Cannot access other tabs or read content from non-active tabs.

contextMenus

Why: Adds the Tag this user with XTagger item to the browser’s right-click context menu on X.com.

What it cannot do: Cannot read what you right-clicked on outside of what’s needed to identify the username.

host_permissions: https://x.com/* and https://twitter.com/*

Why: Limits XTagger’s activity to X.com and Twitter.com (the legacy domain that still redirects to X.com).

What it cannot do: XTagger has no permissions on any other website. It cannot read your banking, email, or any other browsing activity.

What XTagger never does

  • Does not make network requests to any external server (all data is local)
  • Does not read your X.com login credentials or session tokens
  • Does not track which tweets you read or how long you spend on X.com
  • Does not share data with any third party — no analytics services, AI providers, data brokers, or advertising networks
  • Does not use chrome.storage.sync — your tags never leave your device unless you explicitly export them

Verifying this yourself

XTagger is GPLv3 open source. The full source code is at forgejo.xtagger.dev. The public/manifest.json file in the repository is the canonical list of all permissions requested — it matches exactly what appears in your browser’s extension management page.

✎ Edit this page on Forgejo