Wave Evaluation Tool
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
WAVE is a web accessibility evaluation tool developed by WebAIM.org. It provides visual feedback about the accessibility of your web content by injecting icons and indicators into your page. No automated tool can tell you if your page is accessible, but WAVE facilitates human evaluation and educates about accessibility issues. All analysis is done entirely within the Chrome browser allowing secure valuation of intranet, local, password protected, and other sensitive web pages.
To run a WAVE report, simply click on the WAVE icon to the right of your browser address bar, or select "WAVE this page" from the context menu.
WAVE errors align with WCAG 2.2 failures. The WAVE interface facilitates human evaluation of many other aspects of accessibility and Web Content Accessibility Guidelines, ADA, and Section 508 compliance.
Version 3.3.0.4 (December 2025) - Bug fix for scripting exception with some pages with small text. Minor interface improvements.
Version 3.3.0.3 (November 2025) provides performance, interface, and testing improvements. Improved support for ARIA headings and prefers-reduced-motion user settings.
Version 3.3.0.0 (October 2025) adds numerous new features, enhancements, and bug fixes. Resetting the extension no longer refreshes the page, thus supporting better testing of dynamic content. The Summary and Details panel are now combined. The AIM Score is presented. Viewing the Order, Structure, or Contrast tabs now filters to only relevant page icons. The WAVE sidebar can now be collapsed out of view.
Version 3.2.7.2 (September 2024) fixes a bug that disallowed checking of local files and suppresses errors in some cases where role="presentation" is present.
Version 3.2.7.0 (August 2024) adds compatibility with Manifest v3. Inputs with aria-disabled=true are no longer considered for contrast checking.
Version 3.2.6.0 (August 2024) adds support for contrast checking when foreground alpha/opacity is defined. The Contrast sidebar tools are updated to support foreground alpha. Also numerous minor bug fixes and improvements.
Version 3.2.5.3 (February 2024) fixes numerous minor bugs and adds testing refinements. Some hidden inputs are no longer incorrectly flagged as not labeled.
Version 3.2.4.4 (October 2023) fixes a few minor bugs with testing hidden content and with the sidebar contrast tools.
Version 3.2.3.9 (June 2023) removes the warning message on UserWay pages due to them removing code that changes page content when the WAVE extension is activated.
Version 3.2.3.8 (June 2023) includes numerous accessibility test enhancements, several minor bug fixes, and simplification of the contrast checking tools. Users are informed that WAVE results may be manipulated on pages that utilize UserWay or accessiBe overlays.
Version 3.2.3 (March 2023) includes several minor bug fixes. A previous update to test for contrast errors in hidden elements has been reverted. While this was useful for finding contrast errors in drop-down menus, tab panels, dialog windows, etc., identification of errors in hidden elements caused user confusion and, in some rare cases, false positives.
Version 3.2 (December 2022) includes over 100 bug fixes and performance enhancements. The extension no longer utilizes jQuery, resulting in faster testing and better compatibility with a variety of pages. A new Navigation Order panel is available that shows the navigation order, element roles, and accessible names (what is read by a screen reader) for all navigable elements.
Version 3.1.6 (October 2021) includes numerous bug fixes and test rule enhancements for better testing contrast (filters, background images, and other complex color definitions are better handled), document language (IANA-defined language values are now tested), empty links and buttons (better ARIA support for accessible name computations), broken ARIA references, etc., etc. Performance and accessibility has been improved.
Version 3.1.3 (November 2020) includes performance enhancements and fixes several minor bugs, including fixes for multiple alerts for some pseudo-lists and disabled controls being incorrectly flagged for contrast failures.
Version 3.1.2 (October 2020) fixes several minor bugs, including with the Structure tab sometimes incorrectly showing no structure, and improves performance and accessibility testing reliability.
Version 3.1 (September 2020) includes new accessibility tests (region, figure, possible list, select element missing label, and image with title), improved contrast checking, expanded lang attribute value checking, and numerous other bug fixes and improvements.
Version 3.0.9 (July 2020) includes numerous bug fixes, improved accessibility, and improved color contrast checking including fewer false positives and expanded contrast checking for form inputs.
Tags
Privacy Practices
Security Analysis — Wave Evaluation Tool
Permissions
Code Patterns Detected
External Connections
Package Contents 152 files · 958KB
What This Extension Does
The Wave Evaluation Tool extension evaluates web accessibility within your browser, providing visual feedback about the accessibility of your web content. It helps human evaluation and educates about accessibility issues, aligning with WCAG 2.2 failures. The extension is suitable for users who want to ensure their website or webpage is accessible and compliant with Web Content Accessibility Guidelines (WCAG), ADA, and Section 508.
Permissions Explained
- activeTabexpected: This permission allows the extension to access the current web page you're viewing.
Technical: The extension uses this API to inject icons and indicators into your page for accessibility evaluation. This permission grants access to the tab's content, which may include sensitive information such as login credentials or personal data. - contextMenusexpected: This permission allows the extension to add custom context menu items for easy access to its features.
Technical: The extension uses this API to create context menu items, which can be used to trigger accessibility evaluations. This permission grants access to the browser's context menu system, allowing the extension to inject custom items. - scriptingexpected: This permission allows the extension to execute scripts on web pages for accessibility evaluation.
Technical: The extension uses this API to inject scripts into web pages, which can access and manipulate page content. This permission grants access to the browser's scripting engine, allowing the extension to evaluate web accessibility. - webNavigationexpected: This permission allows the extension to monitor and intercept navigation events for accessibility evaluation.
Technical: The extension uses this API to track page loads, redirects, and other navigation events. This permission grants access to the browser's navigation history, allowing the extension to evaluate web accessibility. - file:///*check this: This permission allows the extension to access local files for accessibility evaluation.
Technical: The extension uses this API to access local files, which may contain sensitive information such as login credentials or personal data. This permission grants access to the file system, allowing the extension to evaluate web accessibility on local files. ⚠ 1 - http://*/*check this: This permission allows the extension to access remote resources for accessibility evaluation.
Technical: The extension uses this API to access remote resources, which may contain sensitive information such as login credentials or personal data. This permission grants access to the network, allowing the extension to evaluate web accessibility on remote resources. ⚠ 1 - https://*/*check this: This permission allows the extension to access secure remote resources for accessibility evaluation.
Technical: The extension uses this API to access secure remote resources, which may contain sensitive information such as login credentials or personal data. This permission grants access to the network, allowing the extension to evaluate web accessibility on secure remote resources. ⚠ 1
Your Data
The Wave Evaluation Tool extension accesses and evaluates web content for accessibility, including page content, login credentials, and personal data. It sends data to the following domains: webaim.org, overlayfactsheet.com, wave.webaim.org, www.w3.org.
Technical Details
Code Findings
The extension uses innerHTML assignment to inject scripts into web pages, which can be a potential XSS vector.
Technical: The extension uses the innerHTML property to assign HTML content to an element. This can lead to cross-site scripting (XSS) attacks if malicious code is injected into the page.
💡 This pattern is commonly used in legitimate extensions for injecting scripts or HTML content into web pages.
The extension uses insertAdjacentHTML to inject scripts into web pages, which can be a potential XSS vector.
Technical: The extension uses the insertAdjacentHTML method to inject HTML content into an element. This can lead to cross-site scripting (XSS) attacks if malicious code is injected into the page.
💡 This pattern is commonly used in legitimate extensions for injecting scripts or HTML content into web pages.
The extension creates script elements dynamically, which can be a potential XSS vector.
Technical: The extension uses the document.createElement method to create script elements dynamically. This can lead to cross-site scripting (XSS) attacks if malicious code is injected into the page.
💡 This pattern is commonly used in legitimate extensions for injecting scripts or HTML content into web pages.
The extension captures keystrokes, which can be a significant security concern.
Technical: The extension uses the keydown event to capture keystrokes. This can lead to unauthorized access to sensitive information such as login credentials or personal data.
💡 This pattern is not commonly used in legitimate extensions for capturing keystrokes.
The extension monitors form inputs, which can be a potential security concern.
Technical: The extension uses the input event to monitor form inputs. This can lead to unauthorized access to sensitive information such as login credentials or personal data.
💡 This pattern is commonly used in legitimate extensions for monitoring form inputs.
The extension listens to keyboard shortcuts, which can be a potential security concern.
Technical: The extension uses the keydown event to listen to keyboard shortcuts. This can lead to unauthorized access to sensitive information such as login credentials or personal data.
💡 This pattern is commonly used in legitimate extensions for listening to keyboard shortcuts.
The extension creates context menu items, which can be a potential security concern.
Technical: The extension uses the chrome.contextMenus API to create context menu items. This can lead to unauthorized access to sensitive information such as login credentials or personal data.
💡 This pattern is commonly used in legitimate extensions for creating context menu items.
The extension creates iframe elements, which can be a potential security concern.
Technical: The extension uses the document.createElement method to create iframe elements. This can lead to unauthorized access to sensitive information such as login credentials or personal data.
💡 This pattern is commonly used in legitimate extensions for creating iframe elements.
The extension uses postMessage for cross-origin communications, which can be a potential security concern.
Technical: The extension uses the postMessage method to communicate with other origins. This can lead to unauthorized access to sensitive information such as login credentials or personal data.
💡 This pattern is commonly used in legitimate extensions for cross-origin communications.
The Wave Evaluation Tool extension has several security concerns, including potential XSS vectors, unauthorized access to sensitive information, and monitoring of form inputs. While the extension's stated purpose is legitimate, its code behavior raises significant concerns that may compromise user data. We recommend users exercise caution when installing this extension and regularly review its permissions and behavior.
