> And why does this site has no scrollbar

Seems someone decided it was a good idea to make the scrollbar tiny and basically the same colour as the background:

    scrollbar-width: thin;
    scrollbar-color: rgb(219,219,219) rgb(255,255,255);

Oh, thanks! It's working when you just hit the right pixel somewhere around the left border.

We beg to differ. Consider for example "BlockSite Block Websites and Stay Focused" why would you need to send browsing data to remote server if your job is only to block selected domains?

If you look at the request made, then it seems to check the category of the site, for whatever reason. I don't know that extensions, so I don't know if this is a legit use, sloppy use or harmful. I'm also not saying they found nothing at all. But looking through what they found, they seem to have not even thought much about whether those cases are legit and in the excepted and necessary realm of actions the add-on is supposed to do, or if it's really harmful behaviour. I also don't see anything about how often the request was made. Was it on every url-change, or just once/occasionally?

This whole article is a bit too superficial for me.

This other research points to this type of pattern (sending all URLs to a server to allegedly provide functionality) being used under false pretenses: https://palant.info/2025/01/13/biscience-collecting-browsing...

In particular, look for the diagram provided by a data vendor showing this in action.

As with safebrowsing and adblocking extensions, there is no need to send data to servers.

Many groups of smart people have developed client-side and/or privacy-preserving implementations that have worked with high effectiveness for decades.

Unfortunately, many other groups have also financial incentives to not care about user privacy, so they go the route shown in the research.

> being used under false pretenses

Yes, obviously is that possible, but the least that one should do then is looking up what's really happening. These are browser addons, the source code is available. But instead they are looking from the outside and calling alarm on something they don't understand. That's just poor behaviour and harmful in today's climate.

If you read their full paper, they do technical analysis confirming findings in many cases. Many other researchers have done the same in the recent past.

Full paper also says that the unique URLs were later requested by crawlers, which confirms server-side collection.

What happens server-side is also confirmed by the palant.info article that shows a graphic provided by a major data broker that shows exactly how they mis-use data collected by extensions under false pretenses.

It's far from speculation when there's both technical evidence collected by researchers and direct evidence provided by the bad actors themselves.