StayFree - Website Blocker, Web Usage Stats, Shorts Blocker
Version 2.5.8 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension comes from Sensor Tower, a legitimate analytics company, which adds credibility. With 200,000 users and a strong 4.7-star rating from 2.5K reviews, it appears to have genuine user adoption and satisfaction. The extension's stated purpose as a website blocker and usage tracker aligns with productivity tools that typically require extensive permissions.
The extension's permission set is extremely broad for its stated functionality. While website blocking legitimately requires webNavigation and tabs permissions, the universal host permissions (*://*/*) and content script injection across all websites creates significant attack surface. The scripting permission combined with broad access means this extension can read, modify, or steal data from any website you visit. The search permission seems unnecessary for a website blocker. Most concerning is that these permissions would allow complete monitoring of browsing activity and potential credential theft, far exceeding what's needed for basic website blocking functionality.
Despite the developer's reputation, the permission scope presents substantial privacy and security risks. Consider running this extension in a separate Chrome profile dedicated to productivity tools, isolating it from sensitive browsing activities like banking or work accounts. Alternatively, look for website blockers with more limited permissions that don't require universal site access. If you must use this extension in your main profile, regularly audit what data it might be collecting and consider the trade-off between productivity features and privacy exposure.
Findings
Security Analysis Details
Required Permissions:
- alarms
- tabs
- storage
- notifications
- webNavigation
- scripting
- favicon
- search
Optional Permissions:
- history
- downloads
Host Permissions:
- *://*/*
Embedded URLs (64 total):
| https://notify.bugsnag.com | https://sessions.bugsnag.com | |
| https://notify.bugsnag.smartbear.com | https://sessions.bugsnag.smartbear.com | |
| https://tinyurl.com/yy3rn63z | https://github.com/bugsnag/bugsnag-js | |
| https://github.com/date-fns/date-fns/blob/master/docs/unicodeTokens.md | https://json-schema.org/draft/2020-12/schema | |
| http://json-schema.org/draft-07/schema# | http://json-schema.org/draft-04/schema# | |
| https://www.youtube.com/watch?v=ompaEaSh5rU | https://www.youtube.com/watch?v=6VhsJVFk5WQ | |
| https://api.stayfreeapps.com/v1/remote_config/shared-web-config | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| https://chatgpt.com/c/ | https://gemini.google.com/app/ | |
| https://grok.com/chat/ | https://x.com/i/grok?conversation= | |
| https://chat.deepseek.com/a/chat/s/ | https://www.perplexity.ai/search/ | |
| https://copilot.microsoft.com/chats/ | https://claude.ai/chat/ | |
| https://api.stayfreeapps.com/v1/remote_config/stayfree-chrome | https://vuejs.org/error-reference/#runtime- | |
| https://api-pm.stayfreeapps.com/Ajax0001/IPD | https://api-pm.stayfreeapps.com/Ajax0001/Config | |
| https://stayfreeapps.com/extension-dashboard | https://stayfreeapps.com/goodbye | |
| https://api.stayfreeapps.com | https://www.google-analytics.com/mp/collect | |
| https://clients2.google.com/service/update2/crx | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xlink | https://fonts.googleapis.com/css2?family=Overpass:wght@900&family=Roboto+Mono:wght@300 | |
| https://vue-chartjs.org/guide/#vue-single-file-components | http://www.w3.org/1998/Math/MathML | |
| https://discord.gg/cJ7KFSSZ5f | https://calendly.com/stpulse/support | |
| https://chromewebstore.google.com/detail/stayfree-website-blocker/elfaihghhjjoknimpccccmkioofjjfkf?utm_source=stayfree_desktop_app&utm_medium=in_app | https://addons.mozilla.org/en-US/firefox/addon/stayfree/?utm_source=stayfree_desktop_app&utm_medium=in_app | |
| https://apps.apple.com/us/app/stayfree-track-block-sites/id6468659272?mt=12&referrer=stayfree_desktop_app | https://apps.microsoft.com/detail/9n51fgrv6nhg | |
| https://stayfreeapps.com/?download | https://stayfreeapps.com | |
| https://userguide.stayfreeapps.com | https://forms.gle/9juoJHYZxhK3jCuB9 | |
| http://www.w3.org/XML/1998/namespace | https://chromewebstore.google.com/detail/elfaihghhjjoknimpccccmkioofjjfkf/reviews? | |
| https://chromewebstore.google.com/detail/elfaihghhjjoknimpccccmkioofjjfkf? | https://github.com/vuejs/core | |
| https://docs.google.com/forms/d/e/1FAIpQLScFqVfRH-8_qdgABxmL74Nh6hjPWDwvvospRd9IyovVJGnJZA/viewform?usp=pp_url&entry.437107614=2.5.8 | https://c.1password.com/richicons/images/login/96/ | |
| https://icons.bitwarden.net/ | https://www.google.com/s2/favicons?domain=https:// | |
| https://stayfreeapps.com/privacy | https://stayfreeapps.com/android-connect-device?pairingCode= | |
| https://stayfreeapps.com/terms | https://www.walmart.com | |
| https://www.target.com | https://www.instacart.com | |
| https://chromewebstore.google.com/detail/ehfcoplbhoohillcmlophcfghpeilfjc?utm_source=stayfree_extension&utm_medium=ad_context&utm_campaign=luna_adblock | https://html.spec.whatwg.org/multipage/custom-elements.html#valid-custom-element-name | |
| https://stayfreeapps.com/extension-connect-device | https://github.com/vibrant-Colors/node-vibrant/ |
Raw Manifest
{ "name": "__MSG_name__", "icons": { "16": "icon-16.png", "48": "icon-48.png", "128": "icon-128.png" }, "action": { "default_popup": "popup.html" }, "version": "2.5.8", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_description__", "permissions": [ "alarms", "tabs", "storage", "notifications", "webNavigation", "scripting", "favicon", "search" ], "default_locale": "en_US", "content_scripts": [ { "js": [ "content-scripts/ad-finder.js" ], "css": [ "content-scripts/ad-finder.css" ], "run_at": "document_start", "matches": [ "*://*/*" ], "all_frames": true }, { "js": [ "content-scripts/auto-connect-redirect.js", "content-scripts/gen-ai-collector.js" ], "matches": [ "*://*/*" ] }, { "js": [ "content-scripts/block-website.js", "content-scripts/keyword-blocking.js", "content-scripts/usage-monitoring.js" ], "run_at": "document_end", "matches": [ "*://*/*" ] }, { "js": [ "content-scripts/chatbot-finder.js" ], "matches": [ "*://*/*" ], "all_frames": true }, { "js": [ "content-scripts/in-app-blocking.js" ], "css": [ "content-scripts/in-app-blocking.css" ], "run_at": "document_end", "matches": [ "*://*.facebook.com/*", "*://*.instagram.com/*", "*://*.snapchat.com/*", "*://*.tiktok.com/*", "*://*.x.com/*", "*://*.youtube.com/*" ] } ], "host_permissions": [ "*://*/*" ], "manifest_version": 3, "optional_permissions": [ "history", "downloads" ], "web_accessible_resources": [ { "matches": [ "*://*/*" ], "resources": [ "assets/*", "_favicon/*", "*.css", "*.png" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.