I've created and published a Chrome extension. It had to go through a review process that can take days.<p>In addition, Chrome extensions can't use JavaScript that is loaded from an external source (the review team enforce this).<p>This means that the code that enables Honey to hijack cookies and inject its own affiliate links must be in the Chrome extension's code i.e. the same code that the Chrome Web Store team have access to during the review process.
All it is doing is opening a new tab when the user clicks a button, then closing that tab. The JavaScript that replaces the cookie comes from the site itself. I'm sure there's an API call that happens inside the extension to look up the affiliate link to load, but that's probably it.<p>They wrap all their magic behind that single click, but to be fair, that's exactly how the traditional coupon code sites (e.g. retailmenot) have always worked. Honey just wrapped it into a browser extension and promoted the hell out of it.
Because they simply do not care, and won't put any resources in policing the chrome store. I mean, just look at all the Chrome extensions owned by companies that track all the websites you visit and sell it to marketers in the past 10-15 years (Exhibit #1: SimilarWeb). Google doesn't care. It's that simple.