rabbitholes: how I built a Chrome extension with no server to touch your data

Most browser extensions that call external APIs route your data through a developer-controlled server first. That's not a conspiracy — it's the path of least resistance. You stand up a backend, proxy requests through it, log errors, maybe cache responses. The problem is that everything you highlight and every question you ask passes through infrastructure you don't control and the extension author probably didn't design for privacy from the start.

rabbitholes does something different by construction: requests go directly from your browser to api.anthropic.com and api.search.brave.com. There is no intermediary server. There is nothing to log because there's nothing in the middle.

This wasn't a late decision. The extension renders explanations in a shadow-DOM tooltip next to your cursor — the shadow DOM means the tooltip doesn't pollute the host page's styles or scripts. The same isolation principle runs through the data flow. Your Anthropic API key lives in chrome.storage.sync, which Chrome encrypts and syncs to your account. It never leaves the browser.

The architecture made Manifest V3 compliance straightforward rather than painful. MV3 restricts remotely-hosted code and tightens background-service-worker lifetimes precisely because extensions were being used as attack surface. Building direct-to-API meant there was no server-side component to audit or trust.