TagDragon is built with privacy as a core principle. Here’s everything you need to know about how it handles data.
No data leaves your browser
TagDragon processes all data locally in your browser. It does not:
- Send any data to external servers
- Include any analytics or tracking of its own
- Use any third-party services
- Require an account or internet connection to function
- Store or transmit any personally identifiable information
All captured requests, decoded parameters, and settings are stored exclusively in chrome.storage.local and are never transmitted anywhere.
Why this matters
TagDragon is designed to audit tracking and analytics implementations. It would be counterproductive for an audit tool to collect data itself. The tool is fully transparent — the source code is open source and available for anyone to inspect.
Permissions
TagDragon requires the following Chrome permissions:
| Permission | Purpose |
|---|---|
webRequest | Capture network requests for tracking detection and decoding |
declarativeNetRequest | Redirect Adobe Launch URLs for the Environment Switcher feature |
storage | Persist settings, hidden providers, and preferences to chrome.storage.local |
cookies | Read and clear cookies for the Consent Panel feature |
scripting | Inject content scripts for data layer interception (GTM, Tealium, Adobe, Segment, W3C digitalData) |
Host Permissions
| Permission | Purpose |
|---|---|
<all_urls> | Required to capture tracking requests and inject data layer scripts on any website. TagDragon only reads network data — it never modifies page content or makes its own requests. |
How each permission is used
webRequest— Used to capture network requests viachrome.webRequestAPI for tracking detection, decoding, and real-time monitoring.declarativeNetRequest— Used exclusively by the Adobe Environment Switcher to redirect Launch library URLs between DEV/ACC/PROD environments. No other network requests are modified.storage— All settings (max requests, auto-prune threshold, theme, hidden providers, timestamp format, export format, Adobe env redirects) are stored locally. No data is synced to Google accounts or cloud storage.cookies— The Consent Panel reads cookies to display the current consent state. The “Clear Cookies” button deletes cookies for the inspected page’s domain only.scripting— Content scripts are injected into the inspected tab to intercept data layer pushes (GTM, Tealium, Adobe, Segment, W3C digitalData). The scripts only communicate viapostMessageand do not modify page content.
Data storage
All data is stored in chrome.storage.local:
- Settings — User preferences and configuration
- Hidden providers — Provider filter state
- Adobe environment redirects — Per-hostname environment selections
- Popup statistics — Temporary session stats (not persisted across browser restarts)
You can view and clear all stored data by going to chrome://extensions/ → TagDragon → Clear data (or remove and reinstall the extension).
Open source
TagDragon is released under the ISC License. The complete source code is available on GitHub for anyone to audit, fork, or contribute to.
There are no hidden dependencies, no obfuscated code, and no bundled analytics SDKs. You can build TagDragon from source and verify that the built output matches the released version.
Content scripts
TagDragon injects content scripts into inspected pages for data layer interception. These scripts:
- Run in the MAIN world (to intercept
dataLayer.push()) and the ISOLATED world (to relay data viapostMessage) - Do not modify any page content or DOM
- Do not make any network requests
- Only communicate with the TagDragon background script via
chrome.runtime.sendMessage
Reporting security issues
If you find a security vulnerability, please report it responsibly:
- Open a GitHub issue with the Security label
- Or contact the maintainer directly via GitHub
- Please do not publicly disclose vulnerabilities until they have been patched