Browse Security AI Extensions Collections
Play From Spotify Chrome extension icon

Play From Spotify

🔍 Security Report Available
👥 396 users
📦 v1.0.4
💾 3.72MiB
📅 2024-09-06
View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

⚠️ NOTE: You must have Spotify Premium for this to work.

Ditch the tab juggling and fragmented listening! This extension lets you:
- 🕹️ Control your browser's Spotify player from any window. No more app switching or minimized windows. Enjoy seamless music without ever leaving your workflow.
- 🌎 Cast from anywhere: Whether you are in a different room or a different continent, easily control your browser's music player from your phone or another computer!
- ✏️ Custom device name: Give your browser your own custom name and add as many as you like! (e.g. My Laptop, Desktop #1, Mom's computer etc.)

🚀 Ready to break free from the desktop app? Install now and experience music like never before!

Tags

Lifestyle/entertainment lifestyle/entertainment

Privacy Practices

Not being sold to third parties, outside of the approved use cases
Not being used or transferred for purposes that are unrelated to the item's core functionality
Not being used or transferred to determine creditworthiness or for lending purposes
v1.0.4 Info Scanned Mar 10, 2026

Security Analysis — Play From Spotify

Analyzed v1.0.4 · Mar 10, 2026 · 7 JS files · 555 KB scanned

Permissions

identity offscreen storage

Code Patterns Detected

innerHTML assignment — potential XSS vector String.fromCharCode (obfuscation) charCodeAt (obfuscation) Uses Fetch API Creates iframe elements Uses postMessage for cross-origin comms Sets up event listeners

External Connections

www.w3.org accounts.spotify.com 5ctdanlln9.execute-api.us-east-1.amazonaws.com reactjs.org open.spotify.com api.spotify.com lodash.com sdk.scdn.co openjsf.org underscorejs.org npms.io

Package Contents 26 files · 4.2MB

📁_metadata4KB
{}verified_contents.json4KB
🖼1796c7ef3277eee7ca0e.png172KB
🖼2210fae0bce80d2e1153.png122KB
🖼240cf27c23b93a944aed.gif1.1MB
🖼246d3f8225aa30105348.png94KB
🖼28c0108f5a0245c3a2ef.png611KB
🖼330ae6f3d8753c8cd601.png372KB
🖼59aaec899f3d8c08c5de.png347KB
🖼5f0eb16684d87f69348d.png117KB
📜8aca686682927555cc26.js22KB
📜8b9ee2df43fa05e29353.js3KB
📜background.bundle.js5KB
🖼c77c57b1535c7c01d1e9.png121KB
🖼f05b5c8e5f92b683317e.png428KB
📜faq.bundle.js151KBlarge
🌐faq.html255B
🖼fcae5c5e58354e4a669b.png224KB
🖼icon-128.png4KB
🖼icon-34.png1KB
{}manifest.json597B
📜offscreen.bundle.js804B
🌐offscreen.html388B
📜options.bundle.js145KBlarge
🌐options.html264B
📜popup.bundle.js228KBlarge
🌐popup.html259B

What This Extension Does

Play From Spotify is a browser extension designed to cast music directly from the Spotify service into your web browser, allowing for seamless playback control without needing external hardware. It targets users who want an integrated audio experience within their current browsing session. The extension operates using Manifest V3 and communicates with Spotify's official APIs to retrieve track data and manage playback states.

Permissions Explained

  • identitycheck this: This permission allows the extension to access your Google account information, such as your profile picture and email address. This is often used for authentication or linking accounts but can be a privacy risk if misused.
    Technical: Accesses the chrome.identity.getProfileUserInfo() API. If compromised, an attacker could potentially harvest user identity tokens or impersonate the user within the browser ecosystem. ⚠ The extension's primary function is media casting; access to the user's identity profile is not strictly necessary for playback functionality and represents a potential privacy overreach.
  • storageexpected: This allows the extension to save small pieces of data like settings, preferences, or temporary state information on your computer.
    Technical: Uses chrome.storage.sync and chrome.storage.local APIs. If compromised, an attacker could read saved user preferences or inject malicious data into the storage layer.
  • offscreenexpected: This enables the extension to run a background process that stays active even when no windows are open, which is necessary for continuous audio playback.
    Technical: Utilizes chrome.offscreen API to create an offscreen document. This allows persistent network activity and event listening without consuming excessive main thread resources.

Your Data

The extension connects to Spotify's official servers to fetch music metadata and control playback. It also contacts various third-party CDNs (like reactjs.org and underscorejs.org) to load necessary libraries for its interface.

Technical Details

Network calls are directed to accounts.spotify.com, api.spotify.com, sdk.scdn.co, and 5ctdanlln9.execute-api.us-east-1.amazonaws.com. These connections typically use HTTPS. Data types exposed include Spotify session tokens (implicit via API calls), user identity data (via identity permission), and local storage contents.

Code Findings

Potential Cross-Site Scripting (XSS) VectorMedium

The code uses a method to insert HTML content directly into the webpage. If this content comes from an untrusted source, it could theoretically allow attackers to run scripts on your computer.

Technical: Code pattern: innerHTML assignment detected in content scripts or injected elements. Risk vector involves user-controlled data being rendered without strict sanitization, potentially leading to DOM-based XSS if the extension interacts with dynamic content.

💡 innerHTML is commonly used by extensions to render rich media players, custom UI overlays, or embed third-party widgets (like Spotify's web player).

Code Obfuscation DetectedMedium

The extension uses techniques to hide its code structure, making it harder for average users to read or understand exactly what the software is doing.

Technical: Patterns detected: String.fromCharCode and charCodeAt usage. These are standard obfuscation techniques used to bypass simple static analysis tools or hide logic from casual inspection.

💡 Developers sometimes use these methods to protect proprietary algorithms or prevent reverse engineering of their business logic.

Cross-Origin Communication via postMessageInfo

The extension uses a standard messaging system to talk to other websites, which is how it interacts with Spotify's web interface.

Technical: Uses window.postMessage API for cross-origin communication. This allows the extension to send messages between different domains (e.g., the extension context and open.spotify.com).

💡 Essential for extensions that need to interact with third-party websites without violating Same-Origin Policy restrictions.

Missing Content Security PolicyMedium

The extension does not have a strict security rule set that limits what kind of code can run on your computer, leaving it more vulnerable to attacks.

Technical: Content-Security-Policy header is not set in the manifest or runtime. This allows inline scripts and styles by default, increasing the attack surface for XSS vulnerabilities.

Bottom Line

Play From Spotify provides a functional media casting experience but presents moderate security concerns due to unnecessary identity access and code obfuscation. The lack of a Content Security Policy combined with direct innerHTML usage creates a non-trivial risk of script injection. Users should exercise caution, particularly if they are not comfortable with the developer's transparency regarding their code structure.

Similar Extensions

More in Lifestyle/entertainment →

Netflix Party Is Now Tele

10M+ users
Watch Netflix, Youtube, Disney Plus, Max and more in sync with friends
Lifestyle/entertainment

Aha Music Song Finder For

1M+ users
What is the song? Song identifier tells you!
Lifestyle/entertainment

Watch2gether

900K+ users
The official Watch2Gether (W2G) extension - Watch videos together with your friends.
Lifestyle/entertainment