Last updated: April 17, 2026
Lesuto Chameleon Toolkit is a Chrome extension published by Lesuto Technologies, Inc. It is a developer tool for merchants, suppliers, and developers building on the Lesuto Chameleon e-commerce platform. The extension blocks analytics and tracking requests during development sessions so that developer activity does not pollute production metrics, and provides a one-click visual editor (the “Studio”) for the Chameleon SDK.
The Lesuto Chameleon Toolkit does not collect, transmit, or store personal information about you for the publisher's purposes.
The extension specifically:
The single exception — covered in detail in “Authentication Information” below — is the user's existing Lesuto admin session token, which the extension reads from the same browser tab the user is already signed in to and which is only ever sent back to the same admin API the user is already authenticated with.
To enable the Studio companion feature, the extension reads two values from
localStorage on admin.lesuto.com when the user has that
site open in another tab:
vendure-auth-token — the user's existing admin session token.vendure-selected-channel-token — the user's currently active channel.
These values are stored locally in chrome.storage.local under the key
lesutoAuth. They are used to:
https://api.lesuto.com/api/v3/admin/graphql), which proxies to the
same admin backend the user signed into.sdkPreview tokens for previewing draft Studio
configs through the same gateway.postMessage.
The auth token is never sent to any server other than Lesuto's
first-party API gateway (api.lesuto.com), which proxies to the admin
backend the token came from (admin.lesuto.com). It is
never sent to a publisher analytics endpoint, third-party service,
or anywhere outside the user's own tenant. To revoke it, log out of
admin.lesuto.com — the extension will detect the cleared localStorage
within 60 seconds and disconnect.
The extension uses chrome.storage.local to persist state on the local
device. None of this data leaves the browser except as described above for the auth
token.
| Storage key | Purpose | Sent externally? |
|---|---|---|
shieldState.enabled |
Whether the tracking shield is on or off | No — local only |
shieldState.categories |
Per-category blocking toggles | No — local only |
shieldState.blockCounts |
Per-category counters for the popup display | No — local only |
lesutoAuth |
User's own admin session token, mirrored from admin.lesuto.com localStorage | Only to api.lesuto.com (the first-party gateway proxying to the admin backend the token came from) |
draft_{channelToken}_{host}_{siteId} |
Pending Studio editor configurations the user has not yet published. The trailing site segment scopes drafts per-deployment so a single channel with multiple stores never overwrites a sibling store’s pending changes. | Only to admin.lesuto.com when the user clicks “Publish” |
| Permission | Why It's Needed |
|---|---|
declarativeNetRequest |
Block analytics, ad network, and pixel requests at the browser level before they are sent. Uses Chrome's built-in rule engine — the extension never sees request bodies or response content. |
declarativeNetRequestFeedback |
Count how many network-level requests were blocked, displayed in the popup. Available only in unpacked/dev mode; production block counts come from the content-script intercepts. |
storage |
Save user preferences, block counters, the auth token described above, and
studio drafts in chrome.storage.local. |
activeTab |
When the user clicks “Open Studio,” grants temporary access to the active tab so the extension can inject the Studio script. Granted only on user interaction with the popup. |
scripting |
Required alongside activeTab to execute the Studio injection
script and to bridge studio saves to an open admin tab via
chrome.scripting.executeScript. |
tabs |
Used in two queries: locating an open admin.lesuto.com tab to
postMessage saved configs to, and identifying the active tab's host so drafts
can be keyed correctly. The extension does not enumerate URLs of unrelated
tabs. |
host_permissions: <all_urls> |
The tracking shield must run on any website the developer visits. The Studio companion injects on the active tab on user click. We never read page content, form data, or cookies — only intercept outgoing tracking requests and append the studio script tag on demand. |
Three content scripts run as part of the extension:
fetch, XHR, sendBeacon, and tracking
function calls (gtag, fbq, ttq,
pintrk, dataLayer.push) to block tracking. Does not read
page content, form data, or cookies.
vendure-auth-token and vendure-selected-channel-token
from localStorage on the admin site and forwards them to the extension service
worker. Same origin the user is already signed in to.
When the user clicks “Open Studio,” the extension appends a single
<script> tag pointing to
https://www.lesuto.com/chameleon-studio.js. This is a publisher-hosted
first-party script — the same script used by the bookmarklet at
demo.lesuto.com/editor and by the
?studio=1 mode of the demo gallery at
demo.lesuto.com. The extension never modifies
page content, only adds one script tag on explicit user interaction.
The extension does not use any third-party services, SDKs, or libraries. It is built entirely with standard Chrome Extension APIs (Manifest V3) and ships no bundled dependencies.
This extension is a developer tool and is not directed at children under 13. We do not knowingly collect any information from children.
We may update this privacy policy from time to time. Changes will be posted on this page with an updated “Last updated” date. Continued use of the extension after changes constitutes acceptance of the revised policy.
If you have questions about this privacy policy or the extension, contact us at:
Email: support@lesuto.com
Website: www.lesuto.com