Sponsorblock For Youtube

Name: Security Analysis: Sponsorblock For Youtube
Item: Sponsorblock For Youtube
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 2M+ users

📦 v6.1.2

💾 1.74MiB

📅 2025-12-18

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Blocks unwanted sponsorships and subscription requests from YouTube videos, allowing you to skip these interruptions and focus on the content. Lets you report problematic sponsors to help save others' time and create a more streamlined viewing experience. Benefits most users who frequently watch YouTube videos and want to minimize distractions.

Overview

Available on Firefox as well, visit my site: https://sponsor.ajay.app.

SponsorBlock lets you skip over sponsors, intros, outros, subscription reminders, and other annoying parts of YouTube videos. SponsorBlock is a crowdsourced browser extension that lets anyone submit the start and end times of sponsored segments and other segments of YouTube videos. Once one person submits this information, everyone else with this extension will skip right over the sponsored segment.

You can also skip over non music sections of music videos.

This is open source and the entire database is public.

Permission explanations:

Access your data for youtube.com, www.youtube-nocookie.com:
- Used to modify the YouTube webpage

Data usage explanations:

"Authentication Information": When you install the extension, it will generate a random "userID" that is used when submitting or voting. This allows you to appear on the leaderboard and helps determine reputation of submissions.

With this extension, you will automatically skip YouTube sponsors.

More information about how it works: https://sponsor.ajay.app

Source code: https://github.com/ajayyy/SponsorBlock

Discord: https://discord.gg/QnmVMpU

Changelog: https://github.com/ajayyy/SponsorBlock/releases

Sometimes people call it Sponsor Block or Sponser Block.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v6.1.2 Info Scanned Mar 5, 2026

Security Analysis — Sponsorblock For Youtube

Analyzed v6.1.2 · Mar 5, 2026 · 7 JS files · 1044 KB scanned

Permissions

Code Patterns Detected

External Connections

wiki.sponsor.ajay.app www.w3.org sponsor.ajay.app www.youtube.com ajay.app reactjs.org github.com raw.githubusercontent.com blog.ajay.app chat.sponsor.ajay.app youtu.be youtube.com +3 more

Package Contents 146 files · 4.4MB

▾📁_locales2.5MB

▾📁ar81KB

{}messages.json81KB

▾📁bg97KB

{}messages.json97KB

▾📁bn55KB

{}messages.json55KB

▾📁ca4KB

{}messages.json4KB

▾📁cs69KB

{}messages.json69KB

▾📁da61KB

{}messages.json61KB

▾📁de70KB

{}messages.json70KB

▾📁el92KB

{}messages.json92KB

▾📁en64KB

{}messages.json64KB

▾📁es62KB

{}messages.json62KB

▾📁et45KB

{}messages.json45KB

▾📁fa11KB

{}messages.json11KB

▾📁fi68KB

{}messages.json68KB

▾📁fil13KB

{}messages.json13KB

▾📁fr72KB

{}messages.json72KB

▾📁he71KB

{}messages.json71KB

▾📁hi5KB

{}messages.json5KB

▾📁hr31KB

{}messages.json31KB

▾📁hu70KB

{}messages.json70KB

▾📁id42KB

{}messages.json42KB

▾📁it68KB

{}messages.json68KB

▾📁ja73KB

{}messages.json73KB

▾📁kn10KB

{}messages.json10KB

▾📁ko70KB

{}messages.json70KB

▾📁lt3KB

{}messages.json3KB

▾📁lv9KB

{}messages.json9KB

▾📁ml52KB

{}messages.json52KB

▾📁ms33KB

{}messages.json33KB

▾📁nl38KB

{}messages.json38KB

▾📁no33KB

{}messages.json33KB

▾📁pl66KB

{}messages.json66KB

▾📁pt_BR69KB

{}messages.json69KB

▾📁pt_PT65KB

{}messages.json65KB

▾📁ro70KB

{}messages.json70KB

▾📁ru93KB

{}messages.json93KB

▾📁sk67KB

{}messages.json67KB

▾📁sl3KB

{}messages.json3KB

▾📁sr92KB

{}messages.json92KB

▾📁sv67KB

{}messages.json67KB

▾📁ta41KB

{}messages.json41KB

▾📁te28KB

{}messages.json28KB

▾📁th47KB

{}messages.json47KB

▾📁tr66KB

{}messages.json66KB

▾📁uk93KB

{}messages.json93KB

▾📁vi74KB

{}messages.json74KB

▾📁zh_CN45KB

{}messages.json45KB

▾📁zh_TW55KB

{}messages.json55KB

▾📁_metadata19KB

{}verified_contents.json19KB

▾📁help231KB

▾📁images218KB

🖼notice.png20KB

🖼popup.png124KB

🖼submission menu.png10KB

🖼votebuttons.gif64KB

🌐index.html7KB

🎨styles.css6KB

▾📁icons515KB

🖼IconSponsorBlocker1024px.png65KB

🖼IconSponsorBlocker128px.png22KB

🖼IconSponsorBlocker16px.png551B

🖼IconSponsorBlocker256px.png24KB

🖼IconSponsorBlocker32px.png1KB

🖼IconSponsorBlocker512px.png39KB

🖼IconSponsorBlocker64px.png13KB

🖼LogoSponsorBlocker1024px.png79KB

🖼LogoSponsorBlocker128px.png7KB

🖼LogoSponsorBlocker256px.png17KB

🖼LogoSponsorBlocker512px.png36KB

🖼LogoSponsorBlocker64px.png3KB

🖼PlayerCancelSegmentIconSponsorBlocker.svg3KB

🖼PlayerDeleteIconSponsorBlocker.svg4KB

🖼PlayerInfoIconSponsorBlocker.svg1KB

🖼PlayerStartIconSponsorBlocker.svg3KB

🖼PlayerStopIconSponsorBlocker.svg3KB

🖼PlayerUploadFailedIconSponsorBlocker.svg3KB

🖼PlayerUploadIconSponsorBlocker.svg3KB

🖼SafariIconSponsorBlocker128px.png7KB

🖼SafariIconSponsorBlocker16px.png3KB

🖼SafariIconSponsorBlocker32px.png3KB

🖼SafariIconSponsorBlocker64px.png5KB

📄beep.oga5KB

🖼bolt.svg1KB

🖼campaign.svg1KB

🖼check-smaller.svg1KB

🖼check.svg134B

🖼clipboard.svg291B

🖼close-smaller.svg1KB

🖼close.png4KB

🖼dearrow.svg2KB

🖼downvote.png6KB

🖼export.svg4KB

🖼heart.svg1KB

🖼help.svg2KB

🖼import.svg3KB

🖼lightbulb.svg1KB

🖼loop.svg335B

🖼looped.svg334B

🖼money.svg2KB

🖼music-note.svg1KB

🖼newprofilepic.jpg83KB

🖼not_visible.svg2KB

🖼pause.svg2KB

🖼pencil.svg229B

🖼pride.svg2KB

🖼refresh.svg361B

🖼report.png3KB

🖼right-arrow.svg1KB

🖼sb-pride.png15KB

🖼segway.png1KB

🖼settings.svg516B

🖼skip.svg196B

🖼skipIcon.svg3KB

🖼sort.svg201B

🖼star.svg1KB

🖼stop.svg2KB

🖼stopwatch.svg1KB

🖼thumb.svg599B

🖼thumbs_down.svg2KB

🖼thumbs_down_locked.svg2KB

🖼thumbs_up.svg2KB

🖼upvote.png6KB

🖼upvote.svg4KB

🖼visible.svg366B

▾📁js1MB

📜background.js46KB

📜content.js412KBlarge

📄content.js.LICENSE.txt721B

📜document.js17KB

📜help.js21KB

📜options.js260KBlarge

📄options.js.LICENSE.txt721B

📜permissions.js34KB

📜popup.js254KBlarge

📄popup.js.LICENSE.txt721B

▾📁libs48KB

🔤6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlBduz8A.woff28KB

🔤6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwlxdu.woff215KB

🔤6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwmBduz8A.woff25KB

🔤6xKydSBYKcSV-LCoeQqfX1RYOo3ig4vwmRduz8A.woff214KB

🎨Source+Sans+Pro.css5KB

▾📁options39KB

🎨options.css16KB

🌐options.html23KB

▾📁oss-attribution12KB

📄attribution.txt12KB

▾📁permissions5KB

🌐index.html600B

🎨styles.css5KB

▾📁res4KB

{}countries.json4KB

🎨content.css18KB

{}manifest.json5KB

🎨popup.css14KB

🌐popup.html342B

🎨shared.css4KB

What This Extension Does

SponsorBlock for YouTube is a browser extension that helps users skip sponsorships, subscription reminders, and other annoying parts of YouTube videos. It crowdsources this information from its database to provide an improved viewing experience. With over 2 million users, it's a popular choice for those who want to save time while watching videos on YouTube.

Permissions Explained

storageexpected: This permission allows the extension to store data locally on your device.
Technical: The extension uses Chrome's storage API to store user-specific data, such as submission and voting information. This data is stored in a secure manner using encryption.
scriptingexpected: This permission allows the extension to run scripts on web pages you visit.
Technical: The extension uses Chrome's content script injection API to inject JavaScript code into YouTube web pages. This code is used to modify the webpage and provide the skip functionality.
unlimitedStorageexpected: This permission allows the extension to store an unlimited amount of data locally on your device.
Technical: The extension uses Chrome's storage API with the 'unlimited' flag set, which allows it to store a large amount of data without any size limitations. This is necessary for storing the crowdsourced database of sponsor information.
https://*.youtube.com/*expected: This permission allows the extension to access YouTube web pages and modify them.
Technical: The extension uses Chrome's content script injection API to inject JavaScript code into YouTube web pages. This code is used to modify the webpage and provide the skip functionality. The '*' wildcard in the URL pattern indicates that this permission applies to all subdomains of youtube.com.
https://sponsor.ajay.app/*expected: This permission allows the extension to access the SponsorBlock website and its API.
Technical: The extension uses Chrome's content script injection API to inject JavaScript code into YouTube web pages, which communicates with the SponsorBlock API hosted at sponsor.ajay.app. The '*' wildcard in the URL pattern indicates that this permission applies to all subdomains of sponsor.ajay.app.

Your Data

The extension accesses data on your device through storage and scripting permissions, and sends data to the SponsorBlock API hosted at sponsor.ajay.app. The extension also communicates with other websites such as wiki.sponsor.ajay.app and raw.githubusercontent.com.

Technical Details

The extension uses Chrome's storage API to store user-specific data, such as submission and voting information. This data is stored in a secure manner using encryption. The extension also sends data to the SponsorBlock API hosted at sponsor.ajay.app through HTTP requests. Additionally, the extension communicates with other websites such as wiki.sponsor.ajay.app and raw.githubusercontent.com through HTTP requests.

Code Findings

innerHTML assignment — potential XSS vectorMedium

This finding indicates that the extension uses innerHTML assignment, which can be a potential cross-site scripting (XSS) vulnerability if not properly sanitized.

Technical: The extension uses innerHTML assignment in its content script to inject HTML code into YouTube web pages. This can potentially lead to XSS attacks if an attacker is able to inject malicious code through the SponsorBlock API or other means.

💡 innerHTML assignment is commonly used in legitimate extensions to modify web page content.

String.fromCharCode (obfuscation)Medium

This finding indicates that the extension uses String.fromCharCode, which can be a sign of code obfuscation.

Technical: The extension uses String.fromCharCode to encode strings in its content script. This can make it more difficult for security analysts to understand the code's behavior and intentions.

💡 String.fromCharCode is commonly used in legitimate extensions to encode data or perform other tasks.

Runs on ALL websitesHigh

This finding indicates that the extension runs on all websites, which can be a security risk if not properly sandboxed.

Technical: The extension uses Chrome's content script injection API to inject JavaScript code into all web pages. This can potentially lead to security risks if an attacker is able to exploit vulnerabilities in the extension or its dependencies.

💡 Running on all websites is commonly used in legitimate extensions that need to modify web page content or provide additional functionality.

Broad host permissionsCritical

This finding indicates that the extension has broad host permissions, which can be a security risk if not properly restricted.

Technical: The extension uses Chrome's content script injection API to inject JavaScript code into YouTube web pages. The '*' wildcard in the URL pattern indicates that this permission applies to all subdomains of youtube.com and sponsor.ajay.app.

💡 Broad host permissions are commonly used in legitimate extensions that need to access multiple domains or subdomains.

Monitors storage changesMedium

This finding indicates that the extension monitors storage changes, which can be a security risk if not properly sanitized.

Technical: The extension uses Chrome's storage API to monitor storage changes and update its internal state accordingly. This can potentially lead to security risks if an attacker is able to exploit vulnerabilities in the extension or its dependencies.

💡 Monitoring storage changes is commonly used in legitimate extensions that need to store data locally on the user's device.

Uses postMessage for cross-origin commsMedium

This finding indicates that the extension uses postMessage for cross-origin communication, which can be a security risk if not properly sanitized.

Technical: The extension uses Chrome's content script injection API to inject JavaScript code into YouTube web pages. This code communicates with other scripts through postMessage, which can potentially lead to security risks if an attacker is able to exploit vulnerabilities in the extension or its dependencies.

💡 postMessage is commonly used in legitimate extensions for cross-origin communication.

Bottom Line

The SponsorBlock for YouTube extension has some security concerns, including potential XSS vectors and broad host permissions. However, these findings do not necessarily indicate malicious behavior. Users should exercise caution when installing this extension and regularly review its permissions and code behavior to ensure their safety.