There's an entire industry of browser extensions operating without authorisation on advertiser websites, completely undetected.
With last week's court ruling, the Honey saga might be over, but that argument wasn’t the one that should have happened. In my opinion, the real issue isn't how extensions claim commission, it's that they're operating on your site at all, without your knowledge.
Here's the scenario:
- I build a discount browser extension (not that hard)
- I fill it with codes I've scraped from other sites or users (not that hard)
- I get users (quite hard)
- I get onto an affiliate programme via a subnetwork or other obscured publisher (seemingly not hard at all)
I'm now operating on an advertiser's site without them knowing, claiming commission on users who may or may not use my codes, which I’ve taken from elsewhere.
Sales are reported via the publisher I've signed up with. The advertiser has no idea it's an extension driving them. The network may not either.
At Marcode, we see at least 30 extensions operating in this manner, some with millions of users. They routinely breach advertiser terms prohibiting extension-based activity. But how would anyone know?
The industry's response to Honey has focused on technical measures: soft cookies, standdown, the afrsc=1 parameter. Google updated its Chrome extension policies in March 2025 to require "direct and transparent user benefit" before affiliate links can be injected. These are welcome steps. But they're solving the wrong problem.
What's the point of soft cookies when an advertiser doesn't know an extension is operating on their site in the first place? What's the point of network policies when the extension signs up via a subnetwork that might not enforce them?
The talk is about protecting advertisers from cookie overwriting. But when an extension can monetise via a subnetwork with minimal vetting and operate undetected for months, the cookie question is academic.
The front door is wide open. Why are we fitting better locks on the windows?
