Can a website detect that a content script is running on its page?

Yes, it is possible. While content scripts run in an isolated JavaScript scope, the DOM modifications they make are visible to the page's own scripts. A site can detect injected elements, observe unexpected DOM changes, or check for the presence of extension-specific attributes. Some platforms actively attempt to detect and block browser extensions for anti-bot purposes.

Can content scripts make network requests?

Yes, content scripts can use fetch() and XMLHttpRequest just like regular web pages. However, they are subject to the same cross-origin restrictions unless the extension has declared the appropriate host_permissions and the target server allows cross-origin requests (or the extension uses its service worker as a proxy, which bypasses CORS for declared hosts).

What is the difference between a content script and a userscript (Tampermonkey)?

Both inject JavaScript into web pages, but userscript managers like Tampermonkey run scripts with elevated privileges in a different isolated world called 'unsafe window' access. Userscripts are easier to write and share but lack access to Chrome extension APIs like chrome.storage or chrome.tabs. A full Chrome extension with a content script has more capabilities but requires packaging and distribution through the Web Store.

Do content scripts run on every page or only specific ones?

You control this via URL match patterns declared in manifest.json. A content script can run on all pages ( : [' ']), specific domains ('https://x.com/*'), or complex patterns. Some extensions also inject content scripts programmatically using chrome.scripting.executeScript() rather than declaring them statically, which allows more precise control over when and where they run.

Browser Extensions

What is Content Script?

A content script is a JavaScript (or CSS) file that a browser extension injects into web pages, running in the context of those pages. Content scripts can read and modify the page's DOM, react to user interactions, and communicate with the extension's background service worker — all without requiring any changes to the website itself.

Last updated: March 6, 2026

Content Script Explained

When you install a Chrome extension that modifies websites — highlighting text, injecting buttons, or extracting data — it almost certainly uses a content script. Content scripts are declared in the extension's manifest.json and are automatically injected into pages that match specified URL patterns (e.g., https://x.com/*). They run in an isolated world: they share the page's DOM but have a separate JavaScript scope, meaning they cannot directly access variables or functions defined by the page's own scripts, and vice versa.

What Content Scripts Can Do

Content scripts have access to the full Web APIs available to the page: document, window, event listeners, fetch, and DOM manipulation methods. They can read all visible text on the page, add or remove elements, intercept clicks, observe DOM mutations with MutationObserver, and inject styles. For a social media extension, this means being able to scan a list of accounts displayed on the page, identify non-followers, and render a custom UI panel — all happening entirely within the browser without any server-side involvement.

Content Scripts vs. Background Scripts

The two primary script contexts in a Chrome extension serve different roles. The Service Worker (formerly background page) handles extension-level tasks: responding to browser events, managing extension state, communicating with external APIs, and coordinating between tabs. The content script handles page-level tasks: reading and manipulating the specific webpage the user is viewing. They communicate via the Chrome messaging API (chrome.runtime.sendMessage / chrome.runtime.onMessage), passing data back and forth as needed. A content script might send extracted page data to the service worker, which then makes an API call and returns results for the content script to display.

Security Isolation and Permissions

Chrome's isolated world architecture is a key security feature. A malicious page script cannot read variables set by the content script, and the content script cannot be hijacked by page-level JavaScript. However, content scripts do require the host_permissions grant for the pages they run on — this is why many extensions prompt you to allow access to "all sites" or specific domains. Extensions should request only the minimum URL patterns they actually need, following the principle of least privilege. See Extension Permissions for more detail.

Real-World Content Script Patterns

Common content script patterns include: DOM scraping (reading structured data from a page's HTML that isn't available via a public API), UI injection (adding buttons, panels, or badges to pages), form automation (filling in fields programmatically), and page monitoring (watching for new content to appear via MutationObserver). Social media extensions like X Unfollow Pro and Instagram Unfollow Pro rely heavily on content scripts to read follower lists rendered by the platform's own JavaScript before taking action.

Real-World Examples

X Unfollow Pro injects a content script into x.com pages to scan the rendered list of accounts you follow and identify those who do not follow you back.

A grammar checker extension uses a content script to read text from any input field on any website and underline detected errors in real time.

A price comparison extension injects a content script on Amazon product pages to extract the product name and ASIN, then displays comparison prices from other retailers in a sidebar.

A reading-mode extension's content script removes ads, navigation, and sidebars from article pages and reformats the remaining text for comfortable reading.