Labvanced Web Bridge

About

Labvanced Web Bridge is a companion extension for the Labvanced online experiment platform, used by academic researchers, UX professionals, and behavioral scientists to conduct controlled studies on real-world websites.


WHAT THIS EXTENSION DOES

Labvanced lets researchers embed any website inside a controlled experiment environment, then track how participants interact with it — measuring where they look (via webcam-based eye-tracking), what they click, and how they move their mouse. This extension is what makes that possible.

Specifically, it:

- Tracks the on-screen position of researcher-selected website elements (called Areas of Interest) and streams their coordinates in real time to the Labvanced experiment player
- Allows researchers to pick elements visually using a point-and-click selector tool in the Labvanced editor
- Handles scrollable containers and dynamically loaded content
- Removes iframe embedding restrictions (X-Frame-Options / Content-Security-Policy headers) so that third-party websites can be loaded inside the Labvanced experiment player — this is required because most websites block iframe embedding by default


WHO SHOULD INSTALL THIS EXTENSION

This extension is for researchers and study participants using the Labvanced platform. It is not a general-purpose tool and has no functionality outside of Labvanced research sessions.

- Researchers install it to design and preview eye-tracking / mouse-tracking studies involving real websites in the Labvanced editor
- Study participants will be asked to install it before taking part in a UX research study that involves website interaction tasks


HOW IT WORKS — AND WHY IT IS SAFE

The extension requires broad host permissions because researchers can embed any website in their studies, and the extension cannot know in advance which domains will be used. However, all functionality is strictly scoped to the Labvanced platform at runtime.

Detection script:
A lightweight script (detect.js) is injected only on labvanced.com pages. It sets a single HTML attribute on the top-level frame so the Labvanced UI can confirm the extension is installed. It does nothing else.


Content scripts:
Content scripts are injected into all iframes, but they contain multiple layers of runtime guards and exit immediately unless the page is embedded by labvanced.com:

- They exit immediately in top-level (non-iframe) frames
- They use location.ancestorOrigins to verify that labvanced.com is an ancestor frame — if not, or if the API is unavailable, the script exits immediately (fail-closed)
- Messages are only accepted from the direct parent frame (event.source === window.parent) with a validated labvanced.com origin (exact hostname match using URL parsing, not substring matching)
- No tracking begins until the Labvanced parent frame sends an explicit initialization command
- All outgoing messages use the validated origin — never the wildcard "*"

On any page that is not embedded by labvanced.com, the content scripts exit after the iframe and origin checks. No listeners are installed, no DOM is read, and no data flows.

Header modification:
The extension uses tab-scoped session rules to remove X-Frame-Options and Content-Security-Policy headers from iframe responses — but only in browser tabs whose top-level URL is labvanced.com. Rules are applied per-tab dynamically and are removed immediately when the tab navigates away from labvanced.com or is closed. Session rules live in memory only and do not persist across browser restarts. All other tabs are completely unaffected.


DATA AND PRIVACY

When active inside a Labvanced research session, the extension collects:

- Bounding-box coordinates (position and size) of researcher-selected elements
- Mouse interaction data: click positions, hover events, mouse movement coordinates, element descriptions, and visible text snippets (truncated to 50 characters; password fields and other sensitive inputs are explicitly excluded and never read)
- Page scroll position and current page URL

All collected data is transmitted exclusively to the embedding labvanced.com parent frame via the browser's postMessage API. The extension does not send any data to external servers, does not store any data locally, and does not collect any data during normal browsing outside of an active Labvanced study.

The extension does not use any remotely hosted code.

Privacy policy: https://www.labvanced.com/extension-privacy-policy