The `proxy` permission explained: what browser extensions can really do with your traffic
The proxy permission lets a browser extension reroute all your traffic through servers it controls. Here's what it really allows — and how to check yours.

Most extension permissions let an add-on read something — your tabs, your cookies, a page you're looking at. The proxy permission is different in a way that took me a while to fully appreciate. It doesn't just read your traffic. It decides where all of it goes.
When an extension holds the proxy permission, every request your browser makes — every page, every image, every API call your bank's site fires in the background — can be routed through a server the extension chooses. That's not a slice of your browsing. That's the whole pipe.
It's rare, which is the good news. Across the roughly 308,000 live listings in the Extenshi catalog, only about 2,335 extensions — 0.8% — declare proxy. But the ones that do are, by definition, the ones with their hands on your entire connection. So it's worth understanding exactly what that means before you install a "free VPN," a "faster internet" tool, or anything that promises to change how your browser reaches the web.
What the proxy permission actually is
A proxy is a middleman server. Instead of your browser talking directly to a website, it hands the request to the proxy, the proxy fetches the page, and the page comes back to you through the proxy. This is genuinely useful technology — it's how corporate networks filter traffic, how VPN-style tools hide your IP, and how some content filters work.
The proxy permission gives an extension programmatic control over Chrome's proxy settings through the chrome.proxy API. It's the same underlying setting you'd find buried in your system network preferences, except the extension can change it in code, silently, whenever it wants.
Here's what setting a fixed proxy looks like from inside an extension, straight from the official Chrome documentation:
const config = {
mode: "fixed_servers",
rules: {
singleProxy: { scheme: "https", host: "proxy.example.com", port: 443 },
bypassList: ["foobar.com"]
}
};
chrome.proxy.settings.set({ value: config, scope: "regular" });That's it. Four lines, and every request your browser makes now flows through proxy.example.com — a host the extension author picked, running code you can't see.
What it actually allows
The reach here is what makes proxy a category of its own.
Once traffic is routed through a server the extension controls, that server sits in the middle of everything. It sees the domains you visit and, depending on how the connection is handled, potentially the full URLs and content. It can log where you go, correlate it with your IP, and build a browsing profile that's every bit as detailed as your history file — except it lives on someone else's machine.
This is a different threat than the history permission, which reads the record of where you've been. A proxy watches where you're going, live, as it happens. And it's broader than the webRequest permission, which can observe requests inside the browser — a proxy actually moves the traffic off your device and onto infrastructure you don't own.
The chrome.proxy API can also point your browser at a PAC script — a small piece of JavaScript that decides, per-request, which proxy to use. That's a legitimate feature for complex routing. It also means the routing logic can be fetched remotely and changed after install, without you ever seeing an update prompt.
Combine a proxy with the ability to read page content — say a content script running on <all_urls> — and you've handed one extension both the router and the reader. That's the setup worth pausing on.
Real examples: the free VPN problem
The most common place you'll meet the proxy permission is a browser VPN or proxy extension. And that's exactly where it gets uncomfortable, because a "free" VPN has to make money somehow — and the product routing 100% of your traffic is in the perfect position to monetize it.
I wrote a full breakdown of one case: Urban VPN, a "Featured" Chrome extension with millions of users that, according to security researchers, silently added code to harvest users' AI chatbot conversations and forward them to analytics endpoints. All four Urban VPN-linked extensions were removed from the Chrome Web Store in December 2025. That's not a story about a permission being abused in the abstract — it's a story about what happens when you give one company your whole connection and trust its business model to stay clean.
Researchers at Secure Annex have documented that this is a pattern, not a one-off — free VPN and proxy extensions have repeatedly been caught routing traffic through opaque infrastructure and reselling browsing data to brokers. Reporting from outlets including TechRadar and Infosecurity Magazine has corroborated similar findings across multiple free VPN extensions.
None of that means every proxy extension is malicious. It means the incentive structure around free ones deserves real skepticism.
To be clear, proxy has entirely legitimate uses. Reputable paid VPNs, enterprise security tools, and developer proxies like debugging utilities all use it for exactly what it's designed for. The permission isn't the problem. The question is who's operating the server on the other end, and how they pay their bills.
Risk assessment: when it's fine, when it's not
Not every proxy extension is a red flag. Here's roughly how I think about it.
Lower concern: a paid VPN from an established company with a published, audited no-logs policy; an enterprise tool your IT department deployed; a developer proxy you installed deliberately to debug your own work. In these cases you know who runs the server and there's an accountable party.
Higher concern: a free VPN or proxy with a vague privacy policy; an extension that requests proxy alongside broad content access (<all_urls>, cookies) when its stated job doesn't obviously need to reroute traffic; anything that changed hands recently or pushes silent updates. If a screenshot tool or a shopping-coupon extension asks for proxy, that mismatch is the signal.
The core rule: a proxy extension is only as trustworthy as the company running the exit server. You're not evaluating software anymore — you're evaluating an infrastructure provider you can't inspect. If you can't answer "who sees my traffic and how do they make money," that's your answer.
If you want to compare the built-in option to extensions, I put Firefox's free VPN head-to-head against VPN extensions — a browser-level VPN at least keeps the accountable party to one you already chose.
How to check your extensions
You can see whether an extension requests proxy in a few minutes.
- In Chrome: open
chrome://extensions, enable Developer Mode (top-right), and click "Details" on any extension. The permission list showsproxyexplicitly if it's declared. - Watch the warning at install: an extension requesting proxy control triggers a prompt about changing your proxy settings. If you see that on something that isn't a VPN or network tool, stop and think.
- Check the manifest on Extenshi: every listing in the catalog surfaces the declared permissions, so you can see
proxy— and everything it's paired with — before you install. An extension asking forproxyplus full-site access and cookies is a very different risk profile than one asking forproxyalone.
If a proxy extension is currently active, remember it controls your whole connection right now. Disabling it in chrome://extensions immediately hands routing back to your normal network — a fast way to test whether that "faster internet" tool was doing anything for you besides watching.
Want to see which of your installed extensions request proxy and how they score on privacy?
Look up any extension in the Extenshi catalog and see exactly what it's allowed to do with your traffic before you trust it with all of it.
Methodology
The 2,335 / 0.8% figure comes from a query over the roughly 308,000 live listings in the Extenshi catalog on 2026-07-03, counting manifests that declare the proxy permission (2,335 of ~308,000 = 0.8%).
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
Host permissions explained: what 'read and change all your data on all websites' really means
Browser extension host permissions let extensions read and change every website you visit. Here's what that warning actually means and when to be concerned.
The `webRequest` permission explained: what browser extensions can really see in your traffic
The webRequest permission lets browser extensions watch — and sometimes rewrite — every network request you make. Here's what it really sees and how to check.
Urban VPN review: how a "Featured" Chrome extension harvested 8 million users' AI chats
Urban VPN Proxy secretly harvested ChatGPT, Claude, and Gemini chats from 8M users. A separate campaign hit 900K users in 20K+ enterprise tenants.

The `storage` permission explained: what browser extensions keep, and where it actually lives
The storage permission is the most-requested thing extensions ask for — 62% claim it, with no install warning. Here's what it keeps, where, and how to check.