Skip to content
InPolicy InPolicy Docs

What the extension detects

The InPolicy browser extension runs on every page you visit, but it only does anything when you start typing in a text field that isn’t on a site you’ve excluded. This page explains where it’s active, what it reads, and what triggers a visible flag.

Where it’s active

Section titled “Where it’s active”

The extension uses three modes depending on the site:

Google Docs (custom integration)

Section titled “Google Docs (custom integration)”

Google Docs renders text inside an iframe with a heavily-sandboxed DOM. A generic text observer can’t see what you’re typing. The extension injects a dedicated bridge script on docs.google.com that extracts your text via postMessage and flags violations the same way it does elsewhere.

Coverage: the main document body. The title, comments, and suggestion mode text are not currently scanned.

Gmail (custom integration)

Section titled “Gmail (custom integration)”

Gmail’s compose window is a contenteditable in an iframe. The extension uses gmail-js to hook into Gmail’s compose lifecycle — it knows when you open a new compose, when you switch between drafts, and when you’re editing the subject vs. the body.

Coverage: the compose body. Subject lines, the recipient field, and text in already-sent emails are not scanned.

Generic (every other site)

Section titled “Generic (every other site)”

On every other URL, the extension uses a generic text observer that watches:

  • <input> elements (except password, file, date, and other non-text types)
  • <textarea> elements
  • contenteditable elements (common in rich-text editors like Notion, Slack web, Linear, etc.)

It runs inside frames on most pages, with the Google Docs and Gmail exceptions handled specially.

What text it reads

Section titled “What text it reads”

Only the text you’re currently typing into the focused field. The extension:

  • Does not read text from other fields on the page that you’re not actively editing.
  • Does not read text from other tabs, windows, or apps.
  • Does not read the URLs of pages you visit except to decide whether to activate.
  • Does not read text from password fields or file inputs.

Text is sent to the InPolicy backend over HTTPS, scanned against your tenant’s active policies, and the result is returned. The backend does not store the text being scanned — it processes the request and discards.

How detection works

Section titled “How detection works”
  1. You type in a monitored text field.
  2. The extension waits 300ms after your last keystroke (debouncing rapid typing).
  3. It sends the current text to your tenant’s detection API.
  4. The API returns a list of violations with character positions.
  5. The extension draws underlines under matched spans in the page.
  6. When you click an underline, the policy card appears as an overlay.

What a violation looks like

Section titled “What a violation looks like”

Violations are colored by severity:

  • Red underline (severity 8–10): a critical policy conflict. The card always shows on hover or click.
  • Orange underline (severity 4–7): a medium-severity concern. The card appears when you click.
  • Yellow underline (severity 1–3): a low-severity hint. Easy to ignore; often informational.

Each violation card shows:

  • The policy name and a short excerpt of the rule that was violated.
  • Matched text — the part of what you typed that triggered the match.
  • Enforcement action:
    • Fix — a suggested rewrite, with a button to apply it in place.
    • Warning — an explanation of why this is a concern; no rewrite offered.
    • Audit — the extension shows nothing to you; the violation is logged silently. (You won’t see a card or underline for audit-only policies.)
  • 👍 / 👎 — feedback buttons. Useful feedback trains the model; “not useful” silences that specific match for you going forward.
  • Learn more — link to the full policy on the web app.

What it does not do

Section titled “What it does not do”
  • It does not block you from sending anything. Even on a red-severity policy conflict, the extension just warns. Sending is your call.
  • It does not read existing content you haven’t touched. If you open an old draft, nothing is scanned until you start editing.
  • It does not scan messages after you’ve sent them.
  • It does not work offline. Without a connection to the backend, no violations can be detected. The underline won’t appear; the card won’t show.

Which policies you see

Section titled “Which policies you see”

The extension only flags:

  • Policies in your tenant.
  • Policies with status PUBLISHED.
  • Policies currently within their effective window.
  • Policies whose scope matches your user attributes (team, country, etc.) — if a policy’s scope is set, it only applies to users matching.

Drafts, unpublished policies, and expired policies are ignored.

Privacy

Section titled “Privacy”
  • The extension never transmits text until you type into a monitored field.
  • The text is sent only to your tenant’s backend — never to a third party.
  • Violation events are logged to analytics without the offending text. Only metadata (policy ID, severity, action taken) is retained for reporting. See Analytics privacy for the full story.
Section titled “Related”