It's not encrypted or obfuscated, you can just read the source if you install the extension.
Here's where the magic happens:
When you go to any website, it sends the URL to /ipa/?u= and waits for a response.
One of our members offers a high payout (and seems like a friendly lil guy) so we'll use his faucet to test, here I've encoded my referral link for his site. You see my wallet address highlighted at the end.
Here's the response - you'll notice it passed back "?r=[wallet address from OP]"
So back to that function to see what it does with it
if(ret["css"]==1) evaluates to true and manipulates the page. Substituting in the values from the JSON response, it does this:
document.querySelector("form")["action"] = "?r=1RZJZgoblahblahblah" (line in the middle of the pic, not the highlighted one)
It's quite clever doing the legwork on their own server I guess, you can customise it as you go, plus it hides it a little from anybody who's skimming the code looking for bad stuff. It's shady as all hell though, I don't think google would like it at all.
I really just skimmed the rest of the code, the fact they're passing every URL you access to their server and then doing whatever they feel like to the webpage you're viewing is a serious enough security and privacy concern. If you have it installed, get rid of it.