“Why aren’t our forms being tracked?”<\/li>\n<\/ul>\n\n\n\nI needed a tool that could answer all of these instantly. So I built one.<\/p>\n\n\n\n
\n\n\n\nWhat I Built<\/h2>\n\n\n\n
The Factors SDK Debugger<\/strong> is a Chrome extension that:<\/p>\n\n\n\n\n- Detects SDK presence<\/strong> \u2013 Not just “is it there?” but how<\/em> it is installed (manual HTML, Google Tag Manager, or both)<\/li>\n\n\n\n
- Intercepts ALL network requests<\/strong> \u2013 Including
fetch()<\/code>, XMLHttpRequest<\/code>, and sendBeacon()<\/code><\/li>\n\n\n\n- Decodes encrypted payloads<\/strong> \u2013 The SDK uses Caesar cipher encoding; the extension decodes everything automatically<\/li>\n\n\n\n
- Tracks forms in real-time<\/strong> \u2013 Scans the DOM, including iframes, to show which forms are being tracked<\/li>\n\n\n\n
- Persists data across navigations<\/strong> \u2013 Data stays available even as users navigate around a site<\/li>\n<\/ol>\n\n\n\n
But the interesting part isn’t what<\/em> it does\u2014it’s how<\/em> it does it.<\/p>\n\n\n\n
\n\n\n\nThe Technical Deep Dive<\/h2>\n\n\n\nChallenge #1: Running Code in the Page’s JavaScript Context<\/h3>\n\n\n\n
Chrome extensions run in an “isolated world” by default\u2014a separate JavaScript context from the page. This is great for security but terrible for intercepting network calls that the page makes.<\/p>\n\n\n\n
The solution? Chrome’s Manifest V3 introduced world: \"MAIN\"<\/code> for content scripts:<\/p>\n\n\n\n{\n \"content_scripts\": [\n {\n \"matches\": [\"<all_urls>\"],\n \"js\": [\"content\/interceptor.js\"],\n \"run_at\": \"document_start\",\n \"world\": \"MAIN\", \/\/ Run in page context, not isolated world\n \"all_frames\": true\n }\n ]\n}\n<\/code><\/pre>\n\n\n\nThis lets my interceptor script monkey-patch fetch<\/code>, XMLHttpRequest<\/code>, and navigator.sendBeacon<\/code> before any page scripts run<\/strong>.<\/p>\n\n\n\nChallenge #2: Capturing Requests Before They Leave<\/h3>\n\n\n\n
Here’s how I intercept sendBeacon<\/code> (commonly used by analytics SDKs):<\/p>\n\n\n\nconst originalBeacon = navigator.sendBeacon.bind(navigator);\n\nnavigator.sendBeacon = function (url, data) {\n if (isFactorsUrl(url)) {\n \/\/ Capture the request data before it's sent\n sendNetworkRequest({\n url: url,\n method: 'POST',\n requestBody: data,\n timestamp: Date.now(),\n type: 'beacon',\n pageUrl: window.location.href\n });\n }\n\n return originalBeacon(url, data);\n};\n<\/code><\/pre>\n\n\n\nThe key insight: I capture the data before<\/strong> calling the original function. This means I get the full request body, which Chrome DevTools’ Network tab often can’t show for sendBeacon<\/code> calls.<\/p>\n\n\n\nChallenge #3: Dual-Layer Capture for 100% Coverage<\/h3>\n\n\n\n
What if my content script injection fails? What if there’s a race condition? I built a dual-layer approach<\/strong>:<\/p>\n\n\n\nLayer 1: Content Script Injection (Primary)<\/strong><\/p>\n\n\n\n\n- Runs in
MAIN<\/code> world at document_start<\/code><\/li>\n\n\n\n- Intercepts network APIs directly<\/li>\n\n\n\n
- Gets full request bodies<\/li>\n<\/ul>\n\n\n\n
Layer 2: Service Worker with webRequest API (Backup)<\/strong><\/p>\n\n\n\n\n- Uses Chrome’s
webRequest.onBeforeRequest<\/code><\/li>\n\n\n\n- Catches any requests that slip through<\/li>\n\n\n\n
- Provides deduplication to prevent double-counting<\/li>\n<\/ul>\n\n\n\n
\/\/ Service worker backup layer\nchrome.webRequest.onBeforeRequest.addListener(\n async (details) => {\n if (!isFactorsCall(details.url)) return;\n\n const timestamp = Date.now();\n\n \/\/ Check if content script already captured this\n if (isRequestDuplicate(details.url, timestamp, 'webRequest')) {\n return; \/\/ Skip - content script got it\n }\n\n \/\/ Store the request...\n },\n { urls: ['<all_urls>'] },\n ['requestBody']\n);\n<\/code><\/pre>\n\n\n\nChallenge #4: Decoding Obfuscated Payloads<\/h3>\n\n\n\n
The Factors SDK encodes all request bodies using a Caesar cipher (shift = 4<\/code>). Instead of making users decode this manually, the extension does it automatically:<\/p>\n\n\n\nfunction decodeFactorsPayload(str, shift = 4) {\n if (!str || typeof str !== 'string') return str;\n\n let decoded = '';\n const first = 33 + shift; \/\/ 37\n\n for (let i = 0; i < str.length; i++) {\n const charCode = str[i].charCodeAt(0);\n\n if (charCode >= first && charCode <= 126) {\n decoded += String.fromCharCode(charCode - shift);\n } else if (charCode < first && charCode >= 33) {\n \/\/ Handle wrap-around\n decoded += String.fromCharCode((charCode % 33) + (126 - shift) + 1);\n } else {\n decoded += str[i];\n }\n }\n\n return decoded;\n}\n<\/code><\/pre>\n\n\n\nNow users see clean JSON payloads instead of gibberish.<\/p>\n\n\n\n
Challenge #5: Detecting Manual vs GTM Implementation<\/h3>\n\n\n\n
This was surprisingly tricky. The SDK creates a <script><\/code> element dynamically, so you can’t just check for <script src=\"factors.js\"><\/code> in the HTML.<\/p>\n\n\n\nMy approach:<\/p>\n\n\n\n
\n- Fetch the raw HTML source<\/strong> with XHR (not the DOM, which includes dynamic scripts)<\/li>\n\n\n\n
- Search for the SDK stub pattern<\/strong> in the raw HTML<\/li>\n\n\n\n
- If found in raw HTML<\/strong> \u2192 Manual implementation<\/li>\n\n\n\n
- If only in DOM (not raw HTML)<\/strong> \u2192 Dynamic\/GTM implementation<\/li>\n\n\n\n
- If both<\/strong> \u2192 Flag as duplicate installation (often a bug!)<\/li>\n<\/ol>\n\n\n\n
const SDK_PATTERNS = {\n \/\/ The initialization pattern (always present in the stub)\n faitrackerInit: \/window\\.faitracker\\s*=\\s*window\\.faitracker\\s*\\|\\|\/i,\n \/\/ Constants that confirm it's the actual stub\n faitrackerConst: \/FAITRACKER_QUEUED_EVENT|FAITRACKER_INIT_EVENT\/i\n};\n\nfunction checkRawHtmlSource() {\n const xhr = new XMLHttpRequest();\n xhr.open('GET', window.location.href, true);\n xhr.onreadystatechange = function () {\n if (xhr.readyState === 4 && xhr.status === 200) {\n const html = xhr.responseText;\n const hasFactorsInSource =\n SDK_PATTERNS.faitrackerInit.test(html) &&\n SDK_PATTERNS.faitrackerConst.test(html);\n\n if (hasFactorsInSource) {\n \/\/ It's a manual implementation\n }\n }\n };\n xhr.send();\n}\n<\/code><\/pre>\n\n\n\nChallenge #6: Real-Time Form Detection with Iframe Support<\/h3>\n\n\n\n
Tracking forms is more complex than you’d think. Forms can be:<\/p>\n\n\n\n
\n- Static in the HTML<\/li>\n\n\n\n
- Dynamically added by JavaScript<\/li>\n\n\n\n
- Inside same-origin iframes (like embedded HubSpot forms)<\/li>\n\n\n\n
- Modified after initial load<\/li>\n<\/ul>\n\n\n\n
My solution polls the DOM every 5 seconds, extracting forms from both the main document and accessible iframes:<\/p>\n\n\n\n
function extractFormsFromDocument(doc, sourceLabel) {\n const forms = [];\n const formElements = doc.querySelectorAll('form');\n\n formElements.forEach((form, index) => {\n forms.push({\n id: form.id || null,\n name: form.getAttribute('name') || null,\n action: form.getAttribute('action') || null,\n method: (form.getAttribute('method') || 'GET').toUpperCase(),\n source: sourceLabel,\n index\n });\n });\n\n return forms;\n}\n\nfunction detectAllForms() {\n const detectedForms = [];\n\n \/\/ Extract forms from current document\n const currentDocForms = extractFormsFromDocument(document, 'main');\n detectedForms.push(...currentDocForms);\n\n \/\/ Check inside same-origin iframes\n const iframes = document.querySelectorAll('iframe');\n iframes.forEach((iframe, index) => {\n try {\n const iframeDoc = iframe.contentDocument;\n if (iframeDoc) {\n const iframeForms = extractFormsFromDocument(iframeDoc, `iframe-${index}`);\n detectedForms.push(...iframeForms);\n }\n } catch (e) {\n \/\/ Cross-origin iframe - can't access\n }\n });\n\n return detectedForms;\n}\n<\/code><\/pre>\n\n\n\nThe extension also checks for specific tracking attributes (data-faitracker-form-bind<\/code>, data-faitracker-input-id<\/code>) to show users exactly which forms and fields the SDK is monitoring.<\/p>\n\n\n\n
\n\n\n\nLessons Learned<\/h2>\n\n\n\n1. Race Conditions Are Everywhere<\/h3>\n\n\n\n
Network interceptors, content scripts, service workers\u2014they all run at different times. I implemented:<\/p>\n\n\n\n
\n- Request buffering<\/strong> with sequence numbers<\/li>\n\n\n\n
- Debounced batch sending<\/strong> (50ms window)<\/li>\n\n\n\n
- Deduplication<\/strong> using URL + timestamp as keys<\/li>\n<\/ul>\n\n\n\n
2. Storage Requires Locking<\/h3>\n\n\n\n
Multiple requests can trigger storage updates simultaneously. I built a simple async lock:<\/p>\n\n\n\n
const storageLocks = new Map();\n\nasync function withStorageLock(domain, operation) {\n while (storageLocks.has(domain)) {\n await storageLocks.get(domain);\n }\n\n let releaseLock;\n const lockPromise = new Promise((resolve) => {\n releaseLock = resolve;\n });\n\n storageLocks.set(domain, lockPromise);\n\n try {\n return await operation();\n } finally {\n storageLocks.delete(domain);\n releaseLock();\n }\n}\n<\/code><\/pre>\n\n\n\n3. The Extension Must Be Invisible Until Needed<\/h3>\n\n\n\n
Users don’t want to think about debugging tools until something breaks. The extension:<\/p>\n\n\n\n
\n- Shows a checkmark badge when the SDK is detected<\/li>\n\n\n\n
- Automatically cleans up data after 24 hours<\/li>\n\n\n\n
- Groups network calls by page URL for easy navigation<\/li>\n<\/ul>\n\n\n\n
\n\n\n\nThe Architecture<\/h2>\n\n\n\n\u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n\u2502 Browser Page \u2502\n\u2502 \u2502\n\u2502 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510 \u2502\n\u2502 \u2502 interceptor.js \u2502 \u2502 content-script.js \u2502 \u2502\n\u2502 \u2502 (MAIN world) \u2502\u2500\u2500\u2500\u25b6\u2502 (Isolated world) \u2502 \u2502\n\u2502 \u2502 \u2502 \u2502 \u2502 \u2502\n\u2502 \u2502 \u2022 Patches fetch \u2502 \u2502 \u2022 Bridges messages \u2502 \u2502\n\u2502 \u2502 \u2022 Patches XHR \u2502 \u2502 \u2022 Buffers requests \u2502 \u2502\n\u2502 \u2502 \u2022 Patches beacon\u2502 \u2502 \u2022 Detects forms \u2502 \u2502\n\u2502 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518 \u2502\n\u2502 \u2502 \u2502\n\u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u253c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502\n \u25bc\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 service-worker.js \u2502\n \u2502 \u2502\n \u2502 \u2022 webRequest backup capture \u2502\n \u2502 \u2022 Storage management \u2502\n \u2502 \u2022 Payload decoding \u2502\n \u2502 \u2022 Data persistence (24h) \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n \u2502\n \u25bc\n \u250c\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510\n \u2502 popup.js \u2502\n \u2502 \u2502\n \u2502 \u2022 Tabbed UI (Overview\/Events\/Network) \u2502\n \u2502 \u2022 Real-time updates \u2502\n \u2502 \u2022 Decoded payload display \u2502\n \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518\n<\/code><\/pre>\n\n\n\n
\n\n\n\nWhat I’d Do Differently<\/h2>\n\n\n\n\n- Use TypeScript<\/strong> \u2013 The codebase grew larger than expected. Type safety would have caught several bugs earlier.<\/li>\n\n\n\n
- Add unit tests<\/strong> \u2013 The encoding\/decoding logic and deduplication logic are perfect candidates for testing.<\/li>\n\n\n\n
- Build a “record session” feature<\/strong> \u2013 Export all captured data for sharing with team members.<\/li>\n<\/ol>\n\n\n\n
\n\n\n\nConclusion<\/h2>\n\n\n\n
Building this extension taught me that browser extensions are surprisingly powerful\u2014and surprisingly complex. The ability to intercept network requests before they’re sent, run code in the page’s context, and persist data across navigations makes Chrome extensions an underrated platform for developer tools.<\/p>\n\n\n\n
If you’re building debugging tools, consider the dual-layer approach: inject code directly where possible, but always have a backup. And never assume your code runs first\u2014race conditions will find you.<\/p>\n\n\n\n
\n\n\n\nThe extension is internal to Factors, but the patterns here apply to any analytics SDK debugger. Have questions about the implementation? Feel free to reach out!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"If you’ve ever worked with analytics SDKs, you know the pain. Someone reports that form submissions aren’t being tracked. Or user identification calls are mysteriously failing. You open Chrome DevTools,…<\/p>\n","protected":false},"author":1,"featured_media":151,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8],"tags":[],"class_list":["post-24","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn-with-me"],"jetpack_featured_media_url":"https:\/\/balamurali.in\/blog\/wp-content\/uploads\/2026\/02\/building_chrome_extension.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/posts\/24","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/comments?post=24"}],"version-history":[{"count":2,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/posts\/24\/revisions"}],"predecessor-version":[{"id":29,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/posts\/24\/revisions\/29"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/media\/151"}],"wp:attachment":[{"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/media?parent=24"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/categories?post=24"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/tags?post=24"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}