Protect Your Forms from Browser Extensions
Browser extensions have full DOM access. Any of the 200,000+ Chrome extensions can read input values, including passwords and credit cards.
The Problem
Right now, Browser Extensions can do this on your website:
// Browser Extensions captures:
document.querySelector("input[type=password]").value
// "MyBankPassword123" ← captured and stored
With SmartField
Browser Extensions still runs. But SmartField fields return only encrypted data:
// Browser Extensions captures:
document.querySelector("smart-field").value
// "eyJ2IjoxLCJpdiI6..." ← useless encrypted payload
The screen shows cipher characters: ΣΩΔψξλμπ
Implementation
<script src="https://cdn.smartfield.dev/v1/smartfield.js"></script>
<smart-field type="password" encrypt-key="/api/sf-key"
placeholder="password"></smart-field>
2 lines. Your forms are now invisible to Browser Extensions.
Frequently Asked Questions
How does SmartField protect against Browser Extensions?+
SmartField stores no real data in the DOM. Browser Extensions can only capture cipher characters and encrypted payloads. The real user data is in a WeakMap inside a closed Shadow DOM, invisible to any recording tool.
Do I need to remove Browser Extensions from my site?+
No. SmartField works alongside Browser Extensions. You keep your analytics. SmartField just ensures sensitive fields are encrypted. Browser Extensions records everything except SmartField data.
Is this proven?+
SmartField passed 20/20 automated attack vectors and 15/15 bot attacks (Playwright + Headless Chromium). Four AI models (GPT, Claude, Gemini, Grok) could not read a single character.
Related