dreamer.

Dreamer Capture — extension permissions, in detail

This page exists so users (and the Chrome Web Store review team) can verify what each permission is used for, and so curious users can audit what we touch. The source is open at dreamer extension/.

activeTab

What it grants: temporary access to the URL, title, and DOM of the tab the user is on, only after the user explicitly clicks the extension's toolbar button or triggers its keyboard shortcut.

Why we need it: when you open the popup, we read the current tab's URL and title to pre-fill the bookmark form. If you have text selected on the page, we read that selection so it can be saved as a quoted highlight. Without activeTab, the popup couldn't know what page you're trying to save.

storage

What it grants: persistent local storage inside the extension (chrome.storage.local).

Why we need it: we save your configured Dashboard URL and your personal API token in chrome.storage.local so you don't have to re-enter them on every popup open. Storage is per-browser and is never synced to your Google account or sent anywhere except your own dashboard.

contextMenus

What it grants: the ability to add items to the browser's right-click menu.

Why we need it: we add four entries — "Bookmark this page", "Bookmark this link", "Save selection as a note", and "Save selection as a task" — so you can capture without opening the popup. The menu items only act when explicitly clicked.

scripting

What it grants: the ability to execute a small script in the current tab to read data we couldn't otherwise reach.

Why we need it: we run a single one-line script — window.getSelection().toString() — to capture text you've highlighted on the page. This runs only when the popup is open or a right-click menu item is invoked. We never inject scripts in the background, never modify the page, and never persist any script.

host_permissions: <all_urls>

What it grants: the right-click context menu can appear on any site, and (combined with scripting) the selection reader can run on any site you trigger it from.

Why we need it: you can save bookmarks, notes, or tasks from any web page you visit. Restricting to a hard-coded list of domains would defeat the purpose of a universal bookmarker. We do not access pages in the background — every read is triggered by an explicit user action (clicking the toolbar icon, a keyboard shortcut, or a right-click menu item).

What the extension does NOT do

  • It does not read or send any data from tabs you haven't acted on.
  • It does not log your browsing history.
  • It does not contact any server other than the Dashboard URL you configured.
  • It does not run any third-party analytics or trackers.
  • It does not access cookies, passwords, or local storage on any site you visit.
  • It does not modify the pages you visit.

What it sends, every time you save

A single POST /api/extension/capture request to your configured Dashboard URL, containing:

  • The target type (bookmark, note, or task)
  • The URL of the current tab (or the URL of a link you right-clicked)
  • The page title
  • Any text you selected on the page
  • The title/body/tags you typed in the popup
  • An Authorization: Bearer drm_… header with your personal API token

Nothing else is ever transmitted. You can inspect every request in DevTools → Network while the popup is open.

Auditing the source

The full source of the extension is contained in the extension/ directory of the open-source Dreamer repository. Three files cover all behavior:

  • popup.js — popup UI, save logic, whoami / sync calls
  • background.js — context menu registration, the silent bookmark shortcut
  • manifest.json — the permission declarations above

Back to Privacy Policy