Stylus
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Redesign your favorite websites with Stylus, an actively developed and community driven userstyles manager. Easily install custom themes from popular online repositories, or create, edit, and manage your own personalized CSS stylesheets.
Features
* Versatility of theme installation options. Stylus supports installs from popular online repositories. Additionally, styles can now also be installed from .user.css or .user.styl URLs (see Usercss format documentation in our github wiki).
* A backup feature for your entire database of installed styles which is compatible with other userstyles managers.
* An intuitive and configurable automatic update function for installed styles.
* A highly customizable UI, including theming, optional layouts, icon and badge color choices, along with many other tweaks.
* Two different optional code validators with user configurable rules.
Useful Links
* Beta version: https://chrome.google.com/webstore/detail/stylus-beta/apmmpaebfobifelkijhaljbmpcgbjbdo
* Source code: https://github.com/openstyles/stylus
* Video tutorial: https://youtu.be/fCVvGwoF5cQ
* Chat room: https://discord.gg/tzXVNJz
* Frequently asked questions: https://github.com/openstyles/stylus/wiki/FAQ
* Technical bug report: https://github.com/openstyles/stylus/issues
* General discussion and bug report: https://add0n.com/stylus.html#reviews
* Localization: https://www.transifex.com/github-7/Stylus/dashboard/
Permissions
Stylus uses only a small subset of each permission. As you can see in WebExtensions API documentation or simplified tutorials, there's no way to apply any modifications to a web page without gaining the full access permission to that page. Stylus is mostly used to apply global themes, which is why it requests a global permission. In the future we might be able to implement a more granular approach but it's not exactly trivial.
* Read and change all your data on the websites you visit - required for the style elements to be added into the page, not to access any of your data.
Privacy Policy
Unlike other similar extensions, we don't find you to be all that interesting. Your questionable browsing history should remain between you and the NSA. Stylus collects nothing. Period.
See https://github.com/openstyles/stylus/blob/master/privacy-policy.md
Tags
Privacy Practices
Security Analysis — Stylus
Permissions
Package Contents
What This Extension Does
Stylus lets users install custom CSS themes on websites to change their appearance.
Your Data
The extension does not access personal data or send information outside the browser, as it only modifies webpage styles locally.
Code Findings
No automated code flags were raised for this extension.
Trustworthiness
- Developer: Developer is not explicitly named but the source code is hosted publicly at GitHub under openstyles/stylus.
- Privacy Policy: A privacy policy exists and states that no data is collected, which aligns with its declared functionality.
- Install Base: With 800,000 users and active development indicated via GitHub activity, the extension appears to be maintained.
Nothing in this scan suggests behavior beyond what is needed for managing website themes. Users can confidently install it based on its stated purpose.
Extension Overview
Stylus lets users install custom CSS themes on websites to change their appearance.
Data Exposure (Technical)
No external domains are referenced. The extension operates entirely within the browser environment and does not transmit any data to third parties.
Code Findings
No automated code flags were raised for this extension.
Code Analysis
- Obfuscation: none
- Content Security Policy: Content Security Policy is not set, which may allow some unsafe script execution or inline code injection if present.
- Architecture: The extension appears to lack a background service worker and content scripts. It likely uses manifest V3 with minimal runtime behavior, relying on declarativeNetRequest or similar for style application without persistent background activity.
Transparency
- Developer: Developer is not explicitly named but the source code is hosted publicly at GitHub under openstyles/stylus.
- Privacy Policy: A privacy policy exists and states that no data is collected, which aligns with its declared functionality.
- Code Visibility: Source code is available on GitHub, making it auditable by security researchers or developers.
- Install Base: With 800,000 users and active development indicated via GitHub activity, the extension appears to be maintained.
The extension's architecture lacks a background script or content scripts, reducing persistent attack surface. However, the absence of CSP allows potential unsafe eval or inline script execution if present in injected code. The lack of manifest V3 service worker usage may limit long-term tracking capabilities but does not eliminate all risks. Researchers should verify that no remote code is executed during style injection and confirm that CSS modifications are sandboxed properly.
