Permissions justification.
Last updated · May 2, 2026
X Sort requests one Chrome permission (storage) and four host permissions. Nothing else. No tabs, cookies, identity, history, or scripting access. This page explains every one and why it's needed.
The single Chrome permission
storage
Lets the extension use chrome.storage.localto read and write data in your browser's local storage. X Sort uses it to remember your sort and filter preference between profile visits, store your plan status (free/pro) and license key, hold an anonymous distinct_id (UUID v4) used by analytics, and enforce a local 5-minute scan cooldown per profile.
License keys, scan timestamps, and per-profile data stay on-device. chrome.storage.sync was considered for cross-device preferences but rejected to keep the data surface area as small as possible.
Host permissions
https://x.com/* and https://twitter.com/*
X Sort's core feature is injecting the sort sidebar into X.com profile pages. The content script needs permission to run there. Both x.com and twitter.com are listed because some older links still redirect to the latter.
X Sort reads publicly visible DOM content (tweet text, like / view / repost counts) from the page you are already viewing. It does notmake authenticated requests to Twitter's API, does not read your DMs or notifications, and does not access your X account in any way.
https://api.polar.sh/*
Pro users enter a license key in the sidebar. The extension validates that key by sending a single POST to /v1/customer-portal/license-keys/validate. The request body contains only the license key string and our public organization ID — no personal data, no auth tokens, no PII. Polar.sh is the Merchant of Record we use for billing. This permission is only used during license activation.
https://us.i.posthog.com/*
The extension sends anonymous, aggregated product-usage events (button clicks, scan timings, feature usage) to PostHog so we can understand which features users engage with. Each event is tagged with a random UUID generated locally on first run — never linked to your name, email, X handle, or any other identifier. Tweet content, profile handles, license keys, and emails are never sent to PostHog. Full disclosure is in the Privacy Policy.
Permissions we explicitly do NOT request
| Permission | Why we don't need it |
|---|---|
| tabs | We use history.pushState detection inside the content script, not the tabs API |
| cookies | X Sort does not read, write, or modify any cookies |
| history | We don't access browsing history |
| bookmarks | We don't access bookmarks |
| identity | No OAuth, no login flow |
| webRequest | We don't intercept network requests |
| scripting | Content scripts are declared in the manifest, not injected at runtime |
| activeTab | Not needed — content scripts run via manifest declaration |
Single-purpose statement
X Sort has a single purpose: to allow users to view and sort publicly visible tweets on any X.com profile page by engagement metrics (views, likes, reposts), displayed in an injected sidebar panel. The extension does not perform any other function unrelated to this core purpose.
Remote code policy
X Sort does not load, execute, or inject any remote code. All JavaScript runs locally from the extension's own files. There are no eval() calls, no dynamically-fetched scripts, and no external <script>tags. The extension complies with the Chrome Web Store's remote-code policy.
Questions
Email hello@xsort.app and we'll respond.