Last updated: July 15, 2026
Lesuto Chameleon Toolkit is a Chrome extension published by Lesuto Technologies, Inc. It is a developer tool for merchants, suppliers, and developers building on the Lesuto Chameleon e-commerce platform. The extension can block analytics and tracking requests during development sessions so that developer activity does not pollute production metrics, and provides a one-click visual editor (the “Studio”) for the Chameleon SDK. The tracking / ad shield is off by default. The user must turn the master switch on in the popup for blocking or cosmetic hiding to take effect.
The Lesuto Chameleon Toolkit does not collect, transmit, or store personal information about you for the publisher's purposes.
The extension specifically:
The single exception — covered in detail in “Authentication Information” below — is the user's existing Lesuto admin session token, which the extension reads from the same browser tab the user is already signed in to and which is only ever sent back to the same admin API the user is already authenticated with.
To enable the Studio companion feature, the extension reads two values from
localStorage on admin.lesuto.com when the user has that
site open in another tab:
vendure-auth-token — the user's existing admin session token.vendure-selected-channel-token — the user's currently active channel.
These values are stored locally in chrome.storage.local under the key
lesutoAuth. They are used to:
https://api.lesuto.com/api/v3/admin/graphql), which proxies to the
same admin backend the user signed into.sdkPreview tokens for previewing draft Studio
configs through the same gateway.postMessage.
The auth token is never sent to any server other than Lesuto's
first-party API gateway (api.lesuto.com), which proxies to the admin
backend the token came from (admin.lesuto.com). It is
never sent to a publisher analytics endpoint, third-party service,
or anywhere outside the user's own tenant. To revoke it, log out of
admin.lesuto.com — the extension will detect the cleared localStorage
within 60 seconds and disconnect.
The extension uses chrome.storage.local to persist state on the local
device. None of this data leaves the browser except as described above for the auth
token.
| Storage key | Purpose | Sent externally? |
|---|---|---|
shieldState.enabled |
Whether the tracking shield is on or off | No — local only |
shieldState.categories |
Per-category blocking toggles | No — local only |
shieldState.blockCounts |
Per-category counters for the popup display | No — local only |
lesutoAuth |
User's own admin session token, mirrored from admin.lesuto.com localStorage | Only to api.lesuto.com (the first-party gateway proxying to the admin backend the token came from) |
draft_{channelToken}_{host}_{siteId} |
Pending Studio editor configurations the user has not yet published. The trailing site segment scopes drafts per-deployment so a single channel with multiple stores never overwrites a sibling store’s pending changes. | Only to admin.lesuto.com when the user clicks “Publish” |
| Permission | Why It's Needed |
|---|---|
declarativeNetRequest |
Block analytics, ad network, and pixel requests at the browser level before they are sent. Uses Chrome's built-in rule engine — the extension never sees request bodies or response content. |
declarativeNetRequestFeedback |
Count how many network-level requests were blocked, displayed in the popup. Available only in unpacked/dev mode; production block counts come from the content-script intercepts. |
storage |
Save user preferences, block counters, the auth token described above, and
studio drafts in chrome.storage.local. |
activeTab |
When the user clicks “Open Studio,” grants temporary access to the active tab so the extension can inject the Studio script. Granted only on user interaction with the popup. |
scripting |
Used in three user-driven flows: (1) inject the Studio script on
“Open Studio,” (2) bridge studio saves to an open admin tab via
chrome.scripting.executeScript, and (3) when the shield is on and
Ad Networks is enabled, insert / remove cosmetic CSS on the active tab to hide
common third-party ad shells (YouTube, Search, Reddit, and similar). The CSS
path does not read page content or form fields. |
tabs |
Used in two queries: locating an open admin.lesuto.com tab to
postMessage saved configs to, and identifying the active tab's host so drafts
can be keyed correctly. The extension does not enumerate URLs of unrelated
tabs. |
host_permissions: <all_urls> |
When the user turns the shield on, tracking interception must run on any website they visit. The Studio companion injects on the active tab only when the user clicks “Open Studio.” We never read page content, form data, or arbitrary cookies — only intercept outgoing tracking requests (when enabled) and append the studio script tag on demand. |
Four content scripts run as part of the extension:
fetch, XHR, sendBeacon, and tracking
function calls (gtag, fbq, ttq,
pintrk, dataLayer.push) to block tracking. Does not read
form data or cookies.
vendure-auth-token and vendure-selected-channel-token
from localStorage on the admin site and forwards them to the extension service
worker. Same origin the user is already signed in to.
When the user clicks “Open Studio,” the extension appends a single
<script> tag pointing to a version-pinned
publisher-hosted bundle such as
https://www.lesuto.com/chameleon-studio.v2.0.1.js
(the exact patch version is fixed in the extension build). Pinning ensures a Store
update is required before users receive a different Studio build. The rolling URL
https://www.lesuto.com/chameleon-studio.js is used only by the
bookmarklet and demo surfaces, not by the published extension. This is
first-party Lesuto code — the same editor used at
demo.lesuto.com/editor. The extension
never modifies page content beyond adding that one script tag on explicit user
interaction. Injection is refused on browser-owned pages
(chrome://, New Tab, Settings, and similar).
The extension does not use any third-party services, SDKs, or libraries. It is built entirely with standard Chrome Extension APIs (Manifest V3) and ships no bundled dependencies.
This extension is a developer tool and is not directed at children under 13. We do not knowingly collect any information from children.
We may update this privacy policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of the extension after changes constitutes acceptance of the revised policy.
If you have questions about this privacy policy or the extension, contact us at:
Email: support@lesuto.com
Website: www.lesuto.com