This page is a guided tour of every network request, storage write, and permission Zero Hour uses, quoted from the extension's actual shipped source. Because the production build ships unminified, every snippet below can be verified on your own machine in three clicks: right-click the Zero Hour icon, choose Inspect popup, open Sources.
If anything here doesn't match what you see in your installation, the install on your machine is canonical. Tell us.
The complete network behaviour of the extension
Zero Hour makes exactly three categories of network request. That's it. There are no analytics pings, no event reporting, no error telemetry, no advertising IDs, no third-party scripts.
1. The bid POST (to eBay)
At T-minus-3 seconds (or your configured lead time), a content script running inside an eBay listing tab posts the bid:
// src/content-script/bidder.ts (excerpt — runs in the eBay page context)
const layer = await fetch(
`https://www.ebay.com.au/bfl/placebid/${itemId}?module=1¤cyId=${currency}`,
{ credentials: 'include' }
).then(r => r.text());
const srt = JSON.parse(extractJson(layer, 'srt')); // 3-element token array
const forterToken = readForterToken(); // window.forterToken or cookie
const res = await fetch(
'https://www.ebay.com.au/bfl/placebid?action=reviewbid&modules=REVIEW_BID_LAYER',
{
method: 'POST',
credentials: 'include',
redirect: 'manual',
headers: { 'Content-Type': 'application/json; charset=UTF-8' },
body: JSON.stringify({
decimalPrecision: 2,
price: { currency, value: maxBid },
itemId,
srt: srt[0],
autoPayContext: { forterRiskToken: forterToken, getBidLayerReferenceId: '' },
}),
}
);The request runs inside the eBay listing tab. Chrome attaches your eBay session cookies natively. eBay's anti-fraud Forter token, which is computed live by your browser's fingerprint, is also picked up natively because the script runs in the page context. The bid POST hits eBay from your machine, your IP, your session. Zero Hour's own server is not involved.
2. The pre-fetch (to eBay)
At T-30s, the service worker opens (or focuses) a background tab on the listing URL so the page can warm its session and load eBay's anti-fraud SDK. The bidder content script then fetches the bid-layer JSON to extract the per-action tokens eBay's current bid form expects:
// src/content-script/bidder.ts (excerpt)
const res = await fetch(bidLayerUrl, { credentials: 'include' });
const html = await res.text();
const srt = JSON.parse(extractJson(html, 'srt')); // [reviewSrt, confirmSrt, reserveSrt]Same destination (eBay), same cookie behaviour. Read once, used once, discarded.
3. The entitlement check (to zerohourbid.com)
The only request Zero Hour makes to its own servers. It's a single GET with exactly one query parameter (an opaque UUID) and returns plan status:
// src/lib/entitlement.ts (excerpt)
const installId = await getInstallId(); // random UUIDv4
const url = `https://zerohourbid.com/api/entitlement?install_id=${installId}`;
const res = await fetch(url);
const data = await res.json();
// { plan: 'free' | 'monthly' | 'lifetime', valid_until: '...' }That's the entire payload. No item titles, no bid history, no eBay IDs, no usernames. Just "is this install Pro?"
Three requests. Two endpoints (eBay and zerohourbid.com). That's the list.
You can verify it yourself with Chrome's DevTools Network panel. Open the popup with DevTools attached, perform any action, and watch the request log. There is nothing else.
The complete storage behaviour
Zero Hour writes to two Chrome storage APIs, both of which live on your machine.
chrome.storage.local — snipes and history
Active and completed snipes. Never transmitted anywhere. Cleared when you uninstall the extension.
// src/lib/storage.ts
await chrome.storage.local.set({ snipes: updated });
// keys: snipes, settings
chrome.storage.sync — install ID only
A single UUID, synced across your own Chrome installs if you're signed into Chrome sync. Not synced to Zero Hour's servers. Only to Google's Chrome sync infrastructure, exactly like your bookmarks.
// src/lib/install-id.ts
const installId = crypto.randomUUID();
await chrome.storage.sync.set({ installId });
What is never stored
- Your eBay password. There is no form to capture it.
- Your eBay session cookies. Read fresh at bid time via
chrome.cookies, never persisted. - Your eBay username. Extracted only locally for display in the popup; never transmitted.
- Any IP address, device identifier, or browser fingerprint.
The complete permissions list — and why each one is needed
| Permission | Why it's needed |
|---|---|
cookies | Read eBay session cookies at bid time. Read-only, fresh every bid, never persisted. |
alarms | Wake the service worker 30 seconds before each scheduled snipe. The only reliable wake mechanism in Manifest V3. |
storage | Store snipes and settings in chrome.storage.local. Never leaves your machine. |
notifications | Tell you when a snipe wins, loses, or fails. System-level Chrome notification, not push. |
activeTab | Used by the "Snipe this auction" content script button on eBay pages. |
tabs | Open or focus a background tab on the listing at fire time so the bid can be placed from the eBay page context, where your cookies and eBay's anti-fraud token live. No tab listing, no tab content reading. |
host: *.ebay.com et al | Required to read cookies and post the bid to eBay. Limited to eBay regional domains. |
host: zerohourbid.com | Only for the entitlement check. Single endpoint, single param. |
Notice what isn't here: no history, no identity, no broad <all_urls> host permission, no webRequest. The tabs permission is only used to open or focus a single eBay listing tab at fire time and close it again afterwards — it does not let us enumerate other tabs or read their content. Each permission has a specific, narrow purpose and a specific line of code that uses it.
How to verify all of this yourself
- Install Zero Hour.
- Right-click the Zero Hour icon in your Chrome toolbar.
- Select "Inspect popup". Chrome DevTools opens, attached to the popup.
- Click the Sources tab. You'll see the extension's full file tree. Variable names are intact. Comments are preserved.
- Open the Network tab, then trigger an action: saving a snipe, opening the paywall, refreshing entitlement. Every outgoing request is logged here.
- The bid POST itself you can verify by setting a snipe for the very near future and watching the Network tab inside the eBay listing tab (DevTools → that tab). The bid runs in
src/content-script/bidder.ts.
What about the service worker?
Service worker code is harder to attach DevTools to but still inspectable. Visit chrome://extensions/, enable Developer mode top-right, find Zero Hour, click service worker next to its entry. DevTools opens attached to the worker. All bid logic is in src/service-worker/.
The "no minification" decision
Most extensions minify their production builds. Minification removes whitespace, mangles variable names, and strips comments. The norm exists for good reasons: smaller downloads, slight performance gains, mild IP protection.
Zero Hour explicitly opts out. Our Vite config disables Terser, name mangling, and source-map stripping. The packaged production extension submitted to the Chrome Web Store contains source as readable as our development build. The performance cost is negligible on a 500KB extension. The transparency gain is the entire product.