It isn’t exactly. They created a list of known extensions by their id and a file which is known to exist in that extension. The site iterates over each pair and tries to load that file, if it doesn’t error it knows the extension is installed. It’s a clever and difficult manual process, but it does bypass the security trying to prevent this kind of thing.

I read that their reasoning is it exists to block users that use known scraper extensions which bypass their terms of use. But don’t entirely buy that.

Here's the relevant bit from the original source:

"Chrome extensions can expose internal files to web pages through the web_accessible_resources field in their manifest.json. When an extension is installed and has exposed a resource, a fetch() request to chrome-extension://{id}/{file} will succeed. When the extension is not installed, Chrome blocks the request and the promise rejects.

LinkedIn tests every extension in the list this way."

Is that information available to websites? I figured they were doing some kind of novel hackery to self-detect extensions based on behaviour that would only happen if X extension was installed.

But that would be a lot of work for 6,300 extensions. Unless someone offers that as a service?

Can ask the same question about so many horrible security blunders web browsers have made over the decades.

Brave explicitly blocks this

because Chrome lets sites probe "installed", and LinkedIn turns that into telemetry.

Chrome always makes tracking easier. It’s their blind spot, because google.

Chrome is a browser produced by an advertising company. Its reason for existence is to track you.