Last updated: May 6, 2026
Why this extension uses a background iframe and token exchange.
NeuralWriter's rewrite API is a free service. To keep it free we must prevent automated abuse. The API sits behind Cloudflare bot-detection, which means a session token can only be obtained from a real browser context — server-to-server requests are blocked.
To handle this without disrupting the user, the extension creates a hidden offscreen document (a standard
Chrome MV3 API) containing an iframe that loads a token page on research.neuralwriter.com. The
iframe passes Cloudflare's challenge automatically because it runs inside the user's browser. A content
script reads the resulting session token and stores it locally. The token is a JWT valid for one hour, tied
to the user's IP, and is refreshed every 50 minutes. This token is sent with every rewrite API request to
authorize the session. No login, no account, no personal data is involved in this process.
This extension provides AI-powered text paraphrasing. Users select text on any webpage, press Ctrl+Alt+P (or open the popup), and receive a rewritten version. That is the only purpose of this extension.
| Data | Where it goes | Retention |
|---|---|---|
| Text the user submits for paraphrasing | NeuralWriter API (neuralwriter.com/api/rewrite) |
Not stored after the response is returned |
| Session token (JWT) | Stored locally in chrome.storage.local |
Replaced every 50 minutes; cleared on uninstall |
| Anonymous user ID (random UUID) | Stored locally in chrome.storage.local |
Persists until extension is uninstalled |
| Language & mode preference | Stored locally in chrome.storage.local |
Persists until extension is uninstalled |
| API call statistics (success/fail count) | Stored locally in chrome.storage.local |
Persists until extension is uninstalled |
The extension does not collect browsing history, form data, credentials, keystrokes, or any data
from pages the user visits. The only outbound network requests go to neuralwriter.com and its
subdomains.
| Permission | Purpose |
|---|---|
offscreen |
Creates a hidden document with an iframe to the NeuralWriter token page. The iframe passes Cloudflare bot-detection in a real browser context so the extension can obtain a session token without opening a visible tab. |
declarativeNetRequest |
Removes X-Frame-Options headers on subframe responses that carry the extension's unique URL
parameter. This allows the token page to load inside the offscreen iframe. Only applied to subframes —
main-frame navigation is never modified. |
scripting |
Registers content scripts for pages matching a specific URL parameter. These scripts read the session token from the token page inside the offscreen iframe. Also used to read selected text on the active tab when the user invokes the paraphrase feature. |
storage |
Stores the session token, user preferences (language, mode), an anonymous user ID, and API usage statistics locally. Nothing is synced externally. |
cookies |
Reads cookies from neuralwriter.com only, to maintain the authenticated session with the
NeuralWriter API. |
tabs |
Reloads NeuralWriter tabs after extension updates. Reads page text when the user triggers the paraphrase
feature. Only queries tabs on neuralwriter.com. |
webRequest |
Monitors response status codes on neuralwriter.com API calls to track local usage
statistics (success/failure counts). |
webNavigation |
Detects when the token page iframe finishes loading inside the offscreen document so the extension can proceed with token extraction. |
alarms |
Runs a check every 60 minutes to verify the offscreen document is still active and recreates it if the browser discarded it. |
<all_urls> host permission |
The Ctrl+Alt+P hotkey and popup overlay must work on any webpage to read selected text. Content scripts that extract the session token are filtered by a unique URL parameter and do not activate on general browsing pages. |
The extension communicates exclusively with neuralwriter.com and its subdomains (including
research.neuralwriter.com). No data is sent to any other third party. No analytics, tracking, or
advertising SDKs are included.
The extension includes a local synonym-based rewriting engine that works entirely offline for English text. When this mode is selected, no network requests are made — all processing happens within the browser.
The session token is a JWT signed with HMAC-SHA256, valid for one hour, and tied to the user's IP address. It is
stored in chrome.storage.local (not synced) and is only transmitted to
neuralwriter.com over HTTPS.
This extension is not directed at children under 13 and does not knowingly collect information from children.
If this policy is updated, the new version will be published at this URL with an updated date. Continued use of the extension after changes constitutes acceptance.