Skip to content
InPolicy InPolicy Docs

What the extension detects

The extension is loaded on every page you visit, but it only does anything once you start typing in a text field on a site that hasn’t been excluded. This page covers where it’s active, what it reads, and what triggers a visible flag.

Where it’s active

Section titled “Where it’s active”

The extension uses three modes depending on the site:

Google Docs (custom integration)

Section titled “Google Docs (custom integration)”

Google Docs renders text inside an iframe with a heavily-sandboxed DOM. A generic text observer can’t see what you’re typing. The extension injects a dedicated bridge script on docs.google.com that extracts your text via postMessage and flags violations the same way it does elsewhere.

Coverage: the main document body. The title, comments, and suggestion mode text are not currently scanned.

Gmail (custom integration)

Section titled “Gmail (custom integration)”

Gmail’s compose window is a contenteditable in an iframe. The extension uses gmail-js to hook into Gmail’s compose lifecycle — it knows when you open a new compose, when you switch between drafts, and when you’re editing the subject vs. the body.

Coverage: the compose body. Subject lines, the recipient field, and text in already-sent emails are not scanned.

Word Online (custom integration)

Section titled “Word Online (custom integration)”

The extension renders pink highlights on flagged spans inside Word Online’s editor. Clicking a highlight opens the popup with the policy guidance and suggested rewrite. Apply commits the rewrite to the document; the change is fully undoable with Cmd+Z / Ctrl+Z, same as any edit you make yourself.

Coverage: the main document body. Comments, headers and footers, and content inside already-tracked changes are not scanned.

PowerPoint Online (custom integration)

Section titled “PowerPoint Online (custom integration)”

The extension renders pink highlights on flagged spans inside PowerPoint Online slides. Clicking a highlight opens the popup with the policy guidance and the suggested replacement.

Apply is currently disabled on PowerPoint. The button is visible but grayed out, with a tooltip explaining why.

Why: PowerPoint Online’s editor engine accepts text changes from the extension’s apply-fix path but does not register them on the user’s undo history — Cmd+Z / Ctrl+Z can’t revert them. The same code path on Word Online does register on undo, so this is a Microsoft-side parity gap. We disable Apply on PowerPoint to prevent users from making permanent slide changes they can’t undo through the normal affordance. You can still read the suggested replacement in the popup and apply it manually in the slide.

Coverage: the active slide’s text shapes. Speaker notes, comments, and SmartArt are not scanned.

Google Slides (custom integration)

Section titled “Google Slides (custom integration)”

Same model as Google Docs — bridge script extracts per-slide text, applies fix via the Edit > Find and replace menu. Apply is supported and undoable.

Coverage: text inside text boxes on the active slide. Speaker notes, comments, and shape labels are not currently scanned.

Generic (every other site)

Section titled “Generic (every other site)”

On every other URL, the extension uses a generic text observer that watches:

  • <input> elements (except password, file, date, and other non-text types)
  • <textarea> elements
  • contenteditable elements (common in rich-text editors like Notion, Slack web, Linear, etc.)

It runs inside frames on most pages, with the custom-integration exceptions above handled specially.

What text it reads

Section titled “What text it reads”

Only the text you’re currently typing into the focused field. The extension:

  • Does not read text from other fields on the page that you’re not actively editing.
  • Does not read text from other tabs, windows, or apps.
  • Does not read the URLs of pages you visit except to decide whether to activate.
  • Does not read text from password fields or file inputs.

Text is sent to the InPolicy backend over HTTPS, scanned against your tenant’s active policies, and the result is returned. The backend does not store the text being scanned — it processes the request and discards.

How detection works

Section titled “How detection works”
  1. You type in a monitored text field.
  2. The extension waits 800ms after your last keystroke (debouncing rapid typing).
  3. It sends the current text to your tenant’s detection API.
  4. The API returns a list of violations with character positions.
  5. The extension draws underlines under matched spans in the page.
  6. When you click an underline, the policy card appears as an overlay.

What a violation looks like

Section titled “What a violation looks like”

Violations are colored by severity:

  • Red underline (severity 8–10): a critical policy conflict. The card always shows on hover or click.
  • Orange underline (severity 4–7): a medium-severity concern. The card appears when you click.
  • Yellow underline (severity 1–3): a low-severity hint. Easy to ignore; often informational.

Each violation card shows:

  • The policy name and a short excerpt of the rule that was violated.
  • Matched text — the part of what you typed that triggered the match.
  • Enforcement action:
    • Fix — a suggested rewrite, with a button to apply it in place.
    • Warning — an explanation of why this is a concern; no rewrite offered.
    • Audit — the extension shows nothing to you; the violation is logged silently. (You won’t see a card or underline for audit-only policies.)
  • 👍 / 👎 — feedback buttons. Useful feedback trains the model; “not useful” silences that specific match for you going forward.
  • Learn more — link to the full policy on the web app.

What it does not do

Section titled “What it does not do”
  • It does not block you from sending anything. Even on a red-severity policy conflict, the extension just warns. Sending is your call.
  • It does not read existing content you haven’t touched. If you open an old draft, nothing is scanned until you start editing.
  • It does not scan messages after you’ve sent them.
  • It does not work offline. Without a connection to the backend, no violations can be detected. The underline won’t appear; the card won’t show.

Which policies you see

Section titled “Which policies you see”

The extension only flags:

  • Policies in your tenant.
  • Policies with status PUBLISHED.
  • Policies currently within their effective window.
  • Policies whose scope matches your user attributes (team, country, etc.) — if a policy’s scope is set, it only applies to users matching.

Drafts, unpublished policies, and expired policies are ignored.

Privacy

Section titled “Privacy”
  • The extension never transmits text until you type into a monitored field.
  • The text is sent only to your tenant’s backend — never to a third party.
  • Violation events are logged to analytics without the offending text. Only metadata (policy ID, severity, action taken) is retained for reporting. See Analytics privacy for the full story.
Section titled “Related”