CSP Tool, published by Aleph Void LLC ("Aleph Void," "we," "us," or "our"), does not collect, transmit, sell, or share any personal data. Everything the extension does happens locally in your browser. This page explains exactly what each permission is used for and why it is required.
CSP Tool exists for one purpose only.
CSP Tool is a developer tool for inspecting, editing, and overriding the Content Security Policy of web pages in real time.
It helps developers debug CSP violations, test policy changes, and harden or relax policies during development — all from a popup or side panel in their browser. The extension does not analyze browsing behavior, build profiles, or perform any activity unrelated to CSP inspection and editing.
What we collect, transmit, and store — in plain English.
Nothing. CSP Tool does not collect personally identifiable information, browsing history, authentication credentials, location, financial data, health information, communications, or any other personal data.
Nothing. The extension makes no network requests to any server operated by us or any third party. All processing happens locally in your browser.
Only your CSP configurations, URL patterns, and UI preferences (theme, language). This data is stored locally via the browser's storage API and is never transmitted off your device. It is retained on your device until you delete it from within the extension, clear your browser's extension storage, or uninstall the extension — at which point it is permanently removed.
We do not sell or share user data with third parties. We do not use user data for advertising, credit assessment, or any purpose unrelated to the extension's single purpose.
Each permission CSP Tool requests, and why it is required for the extension to function.
activeTabUsed to read the Content Security Policy of the page the user is currently viewing when they open the CSP Tool popup. Without activeTab, the extension cannot inspect the active page's CSP headers or meta tags — which is its core function. Access is granted only when the user explicitly invokes the extension on a tab.
declarativeNetRequestUsed to replace or modify the Content-Security-Policy response header on pages the user has chosen to override. This is required for "Header Override Mode," which lets developers tighten policies set by HTTP headers (something a meta tag cannot do). Rules are generated entirely from the user's local configuration and are never fetched from a remote server.
declarativeNetRequestWithHostAccessRequired so that the user's CSP override rules can apply to the specific hosts they have configured URL patterns for. This permission allows declarativeNetRequest rules to act on hosts the user has granted access to, which is essential for per-site CSP configurations.
CSP Tool requests host access so it can read CSP headers from and inject CSP changes into pages the user wants to test. CSP is a per-origin security mechanism, so the extension must be able to interact with the specific origins the developer is debugging. Host access is used solely to inspect and modify CSP for the user's own development and debugging workflow.
CSP Tool does not execute remote code. The extension contains no eval of remote payloads, no remotely hosted scripts, and no dynamic module imports from external URLs. All JavaScript that runs is bundled inside the extension package and reviewed as part of the published version. The only "dynamic" content is the CSP string the user types into the editor, which is applied as a policy — not executed as code.
scriptingUsed to inject a small content script into the active page so the extension can: (1) read the existing <meta http-equiv="Content-Security-Policy"> tag, (2) inject or update a meta tag in "Meta Tag Mode," and (3) listen for securitypolicyviolation events to surface CSP violations to the user. The injected script only handles CSP-related operations.
sidePanelUsed to provide an optional side-panel UI in addition to the popup. The side panel gives developers a persistent view of the editor and violation log while they interact with the page being tested, which is significantly more usable than a popup that closes on every click.
storageUsed to persist the user's saved CSP configurations, URL patterns, theme preference, and language selection across browser sessions. All data stored via this permission stays on the user's device and is never synced to or transmitted from any remote server by the extension.
tabsUsed to read the URL of the current tab so the extension can match it against the user's saved URL patterns and apply the correct CSP configuration. Also used to reload the active tab after the user applies header-override changes (which require a reload to take effect). The extension does not enumerate, track, or report on the user's tabs.
webRequestUsed to observe the Content-Security-Policy response headers sent by the server so they can be parsed and displayed in the editor. This is read-only inspection used to show the developer the policy currently in effect on the page; header modification itself is performed through declarativeNetRequest.
Our certification under the Chrome Web Store Developer Program Policies.
We certify that CSP Tool's data usage complies with the Chrome Web Store Developer Program Policies. Specifically:
The data controller responsible for CSP Tool is Aleph Void LLC. Because the extension does not collect, transmit, or process any personal data on our servers, there are no data processing activities for which we act as a controller in practice — but Aleph Void LLC remains the publisher accountable for this policy.
CSP Tool is a developer tool and is not directed at children under the age of 13 (or under 16 in jurisdictions where that is the applicable age). We do not knowingly collect personal information from children. Because the extension does not collect any personal information from any user, no special handling for children's data is required.
Privacy laws such as the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA) grant users rights including access, correction, deletion, portability, and the right to object to processing of their personal data.
Because CSP Tool does not collect, transmit, store on our servers, sell, or share any personal data, we hold no personal data about you to access, correct, export, or delete. All data the extension uses (configurations and preferences) is stored locally on your own device under your direct control. You can exercise the equivalent of all of these rights yourself at any time by viewing, editing, or deleting that data from within the extension or by uninstalling the extension.
We do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.
We may update this privacy policy from time to time, for example to reflect changes to the extension's functionality, requested permissions, or applicable law. When we do, we will update the "Effective date" and "Last updated" fields below and post the revised policy at this URL. For material changes, we will additionally note the change in the release notes for the corresponding version of the extension on the Chrome Web Store and Firefox Add-ons listings. Your continued use of the extension after a revised policy takes effect constitutes acceptance of the updated policy.
Questions, concerns, or reports about this privacy policy can be submitted as an issue on our public GitHub repository: github.com/alephvoid/csptool-web/issues. See also our Support page.
Effective date: April 12, 2026
Last updated: April 12, 2026