Et Tu, Grammarly?

Summary

Saturday 29 Mar 2025 For a few months now I’ve received sporadic reports that my website was broken. They said the layout was askew and things were sized strangely. They had screenshots to prove it. This was embarrassing for a professional website builder.Thankfully my audience is tech-savvy and the Grammarly browser extension was identified as a prime suspect. When this extension was installed it broke my website, simple as that. My initial response was: “Sorry, their bug, not mine”. But after one report too many, I was forced to sign-up and install Grammarly myself (praise the burner email).DiscoveryAfter accepting the Grammarly Firefox (Mullvad browser) extension kitchen sink permissions:Access your data for all websitesDisplay notifications to youAccess browser tabsI soon found the evidence. Grammarly injects a stylesheet into web pages (here’s a GitHub Gist). This stylesheet is loaded from the local extension assets. It cannot be found by the web page itself using StyleSheetList. It even bypasses Content Security Policy. It is effectively a stealth stylesheet undetectable by the website itself. In Firefox at least, I didn’t care to install Grammarly in other browsers.The Grammarly extension also appends a custom <grammarly-desktop-integration> element to the <html> document. This is done on every website regardless of whether you interact with the extension or not (I’ve no idea what it’s used for).Why me?At the end of Grammarly’s stylesheet you’ll find the following CSS::host, :root { --rem:16 }Copy CodeAside from the obvious crime of omitting a semicolon, this is seemingly innocuous. You probably know the magic number 16. By default 1rem = 16px in CSS units (kinda, it’s complicated). Further up Grammarly are doing a form of dynamic font sizing:.kE2Bj { font-size:calc(0.86px*(var(--rem) - 2)); line-height:calc(1.2868px*(var(--rem) - 2)); }Copy CodeThis code is auto-generated so it’s not entirely clear what’s going on. I thought they might be dynamically setting...