Browser Extension

The Zenovay Analytics Inspector is a Chrome + Firefox WebExtension that detects the Zenovay tracking script on any page and shows live events in a popup. It's a diagnostic tool — a faster, in-browser alternative to opening DevTools or the dashboard's installation-verification flow.

Install

Chrome Web Store

Coming soon — submission package prepared. We'll link directly here when it's approved.

Firefox Add-ons (AMO)

Coming soon — submission package prepared.

From source (developers)

git clone https://github.com/zenovay/extension-zenovay.git
cd extension-zenovay
npm install
npm run build

Then in Chrome, open chrome://extensions, enable Developer mode (top-right toggle), click Load unpacked, and pick the dist/ directory.

In Firefox, open about:debugging#/runtime/this-firefox, click Load Temporary Add-on, and pick dist/manifest.json.

How to read the badge

The badge state is per-tab, so a single browser session can show different states for different sites simultaneously.

What the popup shows

When you click the badge, the popup reports:

• Status card — current detection state with a pulsing pip while events are live
• Tracking code — the project ID (e.g., ZV_abc123…)
• Script src — the URL the tracker is loaded from
• Cookieless — whether data-cookieless="true" is set on the script tag, OR cookielessMode: true in ZENOVAY_TRACKER_CONFIG
• GPC — whether the user has Global Privacy Control enabled in browser settings
• API endpoint — where the tracker sends events
• Live events — a scrolling list of the last 50 events (event type + relative time)
• Open in Zenovay Dashboard — deep-link to the matching website's dashboard

Live events: Path A vs Path B

The Zenovay tracker only emits the zenovay:debug:event custom event when the site sets data-debug="true". Production sites typically don't.

Path B (default). The extension listens for zenovay:debug:event and drains window._zenovayDebugBus. On a debug-mode page (or on app.zenovay.com), you'll see events stream in. On a production site without debug mode, the popup shows:

Enable data-debug="true" on the script tag to see live events, or toggle deep inspection below.

Path A (opt-in). Toggle Beta: deep inspection in the popup. The extension monkey-patches navigator.sendBeacon and window.fetch to intercept event POSTs to the tracker API. Works on every site, with two caveats:

1. The extension may collide with other extensions that also monkey-patch network calls.
2. Events fired before you enabled the toggle aren't captured. If 3 seconds pass with no events, the popup offers a one-click Reload to capture the initial pageview.

We mark Path A as Beta until we've collected feedback on collisions. Disable it if you see odd behaviour on any site.

Detection signals

The extension probes five sources, in order, all inside the page's MAIN world:

1. Script tag scan — script[src*="/z.js"], script[src*="zenovay-tracker"], script[data-id], script[data-tracking-code], script[data-website-id].
2. Global probe — typeof window.zenovay === 'function', polled up to 5 seconds at 200 ms intervals.
3. Config probe — reads window.ZENOVAY_TRACKER_CONFIG if the tracker was loaded via the /load endpoint (with dashboard-injected config).
4. Event subscription — listens for zenovay:debug:event on window.
5. Buffer drain — snapshots window._zenovayDebugBus if present.

Any one signal is enough to mark a page as "detected".

Permissions

Explicitly not requested: tabs, webRequest, cookies, history, bookmarks, downloads. The extension can't read your other tabs, your history, or your saved passwords.

Privacy

The Inspector is built to honour Zenovay's broader cookieless posture:

• No remote calls — the extension never sends data to api.zenovay.com or anywhere else.
• No cookies — neither the extension itself nor its UI write cookies. Toggle state lives in chrome.storage.local (a few bytes for the Beta: deep inspection preference). Tab-level event data lives in chrome.storage.session, which is cleared on browser close.
• No persistent payload storage — Path A's monkey-patches parse event bodies in memory only.
• Deep-link is user-initiated — clicking Open in Zenovay Dashboard is the only outbound action, and it requires a deliberate click.

Troubleshooting

Badge stays empty on a site I'm sure has Zenovay

• Hard-refresh the tab (Cmd/Ctrl + Shift + R). The injected probe runs at document_idle; a fresh load gives it a clean shot.
• Inspect the page source for script src patterns matching /z.js, zenovay-tracker, or data-id="…". If none are present, the script isn't actually loaded.
• Check the site's CSP — a strict script-src directive could be blocking the tracker entirely.

Badge shows amber ! but I'm expecting events

This is Path B working as designed. The script is loaded but isn't emitting zenovay:debug:event because the site doesn't have data-debug="true". Enable Beta: deep inspection in the popup, then reload.

Events list is empty after enabling deep inspection

If a hint banner appears within 3 seconds — click Reload. The tracker's initial pageview fires once per page load; Path A only catches events from when it was activated.

Cookieless indicator shows ✗ but I configured cookieless

data-cookieless="true" must be on the <script> tag itself, as a string "true". Confirm:

<script src="https://api.zenovay.com/z.js" data-id="YOUR_CODE" data-cookieless="true"></script>

Not data-cookieless (presence-only) or data-cookieless="1". The tracker reads it as a strict string match.

Open source

The extension is MIT-licensed and developed in the open at github.com/zenovay/extension-zenovay. Issues and pull requests welcome.