Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/thePrnvBot/dispel-web-stylist/llms.txt

Use this file to discover all available pages before exploring further.

Dispel takes the security of the extension and its users seriously. Because the extension handles sensitive data — including API keys and page content from any site the user visits — we have established a clear process for responsible vulnerability disclosure. We ask that security researchers and users who discover potential issues work with us privately before publishing any details, so that we can understand the impact, develop a fix, and protect users before information becomes public.

Supported Versions

Security patches are only applied to the current stable release line. Older pre-release builds are not maintained.
VersionSupported
1.0.x✅ Yes
< 1.0❌ No
If you are running a version below 1.0, please update to the latest 1.0.x release before reporting an issue — it may already be resolved.

Reporting a Vulnerability

Do not open a public GitHub issue, post on social media, or disclose vulnerability details in any public forum before receiving a response from the Dispel team. Public disclosure before a fix is available puts all users at risk.
1

Keep it private

Do not open a public GitHub issue for security vulnerabilities. Public disclosure before a fix is shipped exposes users to active exploitation. If you have already filed a public issue in error, please edit it to remove the sensitive details and contact us immediately.
2

Email the security team

Send a report to support@usedispel.dev with the following information:
  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions, or a proof-of-concept if one is available
  • The affected version (e.g., 1.0.3)
The more detail you provide, the faster we can triage and respond.
3

Await acknowledgement

We will acknowledge receipt of your report within 3 business days. For confirmed vulnerabilities, we aim to ship a fix within 30 days of confirmation. We will keep you informed as the investigation progresses and will credit you in the release notes if you wish.
4

Coordinate disclosure

We follow responsible disclosure practices and ask that you give us a reasonable window before publishing or presenting details of the vulnerability. Once a fix has been released and users have had a reasonable opportunity to update, we are happy to coordinate a joint disclosure if you would like to publish your findings.

Scope

In Scope

We want to hear about:
  • The Dispel extension source code in this repository
  • Build artifacts produced by bun run build and bun run zip
This includes issues such as insecure data handling, privilege escalation within the extension, injection vulnerabilities, or unintended data transmission.

Out of Scope

Please report these to their respective vendors:
  • Third-party AI providers (OpenAI, Anthropic, Google, OpenRouter, etc.)
  • The Chrome Web Store and Firefox AMO
  • Self-hosted OpenAI-compatible endpoints configured by individual users
Vulnerabilities in these services are outside Dispel’s control and should be reported directly to those vendors.

Data Handling Summary

This section summarises how Dispel handles data from a security perspective. See the full Privacy Policy for complete details.
For the complete data handling disclosure — including the full HTML attribute allowlist, storage mechanisms, and third-party provider details — see the Privacy Policy.
All user data — prompts, generated CSS, API keys, and model configurations — is stored locally in chrome.storage.local. No data is sent to any Dispel-operated server. The only external transmission is to the AI provider the user explicitly configures, over HTTPS, at the moment a prompt is submitted.
The page URL sent to the AI provider is stripped of its query string, fragment, and any userinfo component (e.g., embedded credentials) before it is transmitted or stored. Only the scheme, hostname, and path are retained.
Page HTML and picked element HTML are both sanitised through the same attribute allowlist before being sent to the AI provider. All attributes are stripped except:
id · class · style · href · role · data-testid · data-qa
type · name · placeholder · src · alt · title
Tags such as SCRIPT, STYLE, IFRAME, CANVAS, SVG, and HEAD are removed entirely. Invisible and off-viewport elements are excluded. Comments are stripped and whitespace is normalised.
API keys are stored exclusively in chrome.storage.local, which is browser-encrypted and scoped to the Dispel extension. Keys are transmitted only to the respective AI provider’s API endpoint in the Authorization header. They are never logged, cached in plaintext, or sent to any other destination.

Build docs developers (and LLMs) love

Get started for freeTalk to us