Every Extension UX & Performance Audit check

A popup that shows nothing until an async operation resolves trains users to distrust the extension — or abandon it. Chrome's ISO 25010:2011 performance-efficiency.time-behaviour benchmark treats 200ms as the threshold for perceived responsiveness. Blank popups during storage reads or API calls regularly cause 1-star reviews citing "laggy" or "broken" extensions; those reviews cannot be retracted once published to the Chrome Web Store.

Why this severity: Critical because a blank popup on every activation is functionally indistinguishable from a broken extension, causing user abandonment before any feature can deliver value.

Interactive elements that freeze for more than 100ms after a click break the user's perception of control. Per ISO 25010:2011 performance-efficiency.time-behaviour, 100ms is the threshold beyond which lag becomes noticeable. In practice, synchronous XHR or large inline loops in click handlers block the UI thread entirely — buttons appear stuck, users double-click, and duplicate actions trigger. Extensions with this pattern see disproportionate negative reviews relative to their functional quality.

Why this severity: High because frozen UI elements during user interaction create a perception of defect, causing users to force-close or uninstall the extension.

Clipped popup content at default browser zoom hides primary actions — Save, Submit, Close — behind invisible overflow. Users on 125% zoom (the OS default on high-DPI Windows laptops and standard for low-vision users covered by WCAG 2.2 SC 1.4.4 Resize Text) hit dead ends where the save button renders below a fixed 200px container with `overflow: hidden`. The extension appears broken, reviews drop, and uninstalls spike. Accessibility compliance also fails when resized text gets cropped instead of reflowing.

Why this severity: High because clipped controls make the extension functionally unusable for a measurable segment of users at default zoom levels.

Layout shift during popup load is visually jarring and causes accidental clicks — a user aiming at a button hits a link when content loads and pushes the layout down. ISO 25010:2011 performance-efficiency.time-behaviour covers stability of the rendered interface, not just load time. Cumulative layout shift in extension popups is harder to measure than in web pages but its user impact is identical: misclicks on the wrong interactive element after a reflow.

Why this severity: Medium because layout shifts cause accidental misclicks and reduce perceived polish, but do not block core functionality the way a blank popup does.

Chrome tears down the popup JavaScript context the moment the popup loses focus, so every piece of in-memory state — active tab, scroll position, half-typed search queries, expanded accordions — vanishes on close. Users who click out to copy a value from another tab return to a reset UI and lose their input. For extensions with multi-step forms or tabbed settings, this destroys the mental flow and trains users to avoid the popup entirely, driving them to the options page or uninstalling.

Why this severity: Low because lost state is an annoyance rather than a failure of core functionality or data integrity.

A popup that fetches remote data with no visual feedback looks broken. Users click `Sync Now`, see no change for two seconds while the background script hits the network, and click again — triggering duplicate requests, duplicate writes, or duplicate API billing. Without a spinner, disabled button, or skeleton screen, users cannot distinguish a slow operation from a frozen extension. Perceived performance drops, support tickets spike, and the extension accumulates one-star reviews blaming it for bugs that are actually just unreported async work.

Why this severity: Low because missing indicators degrade perceived quality but do not block functionality or corrupt data.

Unthrottled `chrome.notifications.create` calls on every webRequest event, price-check tick, or polling cycle flood the OS notification center with dozens of popups per minute. Users disable notifications at the OS level, uninstall the extension, or leave one-star reviews citing spam. On macOS and Windows, excessive notifications also trigger system-level rate limiting that silently drops later — potentially important — alerts. Chrome Web Store reviewers flag notification-spamming extensions during policy review and may reject updates.

Why this severity: Critical because notification spam triggers uninstalls, one-star reviews, and Chrome Web Store policy rejection.

Notifications that fire unconditionally — with no user-facing toggle to silence them — violate the Chrome Web Store User Data FAQ expectation that users control communication from installed extensions. A user who wants daily summaries but not real-time alerts has no recourse except disabling notifications at the OS level, which also silences other apps. This drives uninstalls and triggers Chrome Web Store policy review flags for pushy or invasive behavior, and makes the extension non-compliant with enterprise deployment policies that require per-feature user control.

Why this severity: High because users cannot silence unwanted notifications without OS-level action, driving uninstalls and review penalties.

Badge text that fails WCAG 2.2 SC 1.4.11 (Non-Text Contrast, 3:1 minimum) is unreadable for users with low vision or color-blindness — the count value the badge conveys becomes invisible. The Chrome extension badge is one of the few always-visible UI elements in the browser chrome; inaccessible badge colors affect every user session, not just users navigating the popup. Chrome Web Store policy requires extensions meet accessibility standards, and this is a concrete, checkable criterion.

Why this severity: High because an unreadable badge permanently degrades the extension's primary ambient notification mechanism for millions of users with low-contrast sensitivity.

A badge count that drifts from reality undermines the entire notification contract. When bulk-delete actions, crash-interrupted decrements, or missed code paths leave the counter stale, users open the popup expecting unread items and find none — or worse, miss real items because the badge showed zero. ISO 25010:2011 functional-suitability.functional-correctness applies directly: the badge's job is accurate representation of state, and independent increment/decrement counters are structurally incapable of guaranteeing that.

Why this severity: Medium because stale badge counts cause user confusion and erode trust in the extension's reliability, but do not expose security risk or block core functionality.

Badge update calls fired on every high-frequency browser event — `webRequest.onCompleted`, `tabs.onUpdated`, or sub-5-second polling — create continuous background CPU load even when the user is doing nothing extension-related. ISO 25010:2011 performance-efficiency.resource-utilisation treats unnecessary background CPU consumption as a defect. On laptops, this translates directly to battery drain; on lower-end hardware it causes system-wide slowdown. Chrome surfaces extensions that abuse background resources in its Task Manager, leading to removal.

Why this severity: Medium because unbounded badge update frequency drains battery and CPU continuously, but the impact is gradual and not immediately catastrophic.

Cramming multi-item data into a newline-joined `type: 'basic'` message discards rich OS notification affordances — per-item titles, action buttons, progress bars, image thumbnails — that users expect from native apps on macOS, Windows, and ChromeOS. Worse, `requireInteraction: true` on informational notifications blocks the OS from auto-dismissing them, forcing users to manually dismiss every stale update. The extension feels second-class, and on ChromeOS it violates platform UX conventions that reviewers flag during Chrome Web Store submission.

Why this severity: Low because the extension still delivers information but with degraded ergonomics rather than a functional failure.

Extension bundle size directly affects install time, update time, and popup load time on every user's machine. A bloated bundle — caused by unminified libraries, uncompressed images, or unnecessary dependencies like full `lodash` or `moment.js` — forces users to download and parse megabytes of JavaScript the extension doesn't need. ISO 25010:2011 performance-efficiency.resource-utilisation identifies this as a defect. Chrome Web Store rejects extensions over 128MB, but the practical ceiling for perceived performance is far lower; extensions over 5MB noticeably slow popup initialization on mid-range hardware.

Why this severity: Critical because oversized bundles cause measurable popup latency, inflate install and update bandwidth, and signal absent build hygiene that usually correlates with other production defects.

MV3 service workers that never terminate because of `setInterval` or persistent WebSocket connections consume CPU and memory continuously — for every browser session, on every user's machine. ISO 25010:2011 performance-efficiency.resource-utilisation treats unkillable background processes as a resource defect. Chrome aggressively terminates service workers that misbehave, but a `setInterval` pattern keeps the worker alive indefinitely, preventing Chrome's idle eviction from ever firing. This drains battery on laptops and degrades overall system performance.

Why this severity: High because a background script that never terminates imposes a permanent CPU and memory tax on every user's browser, measurably degrading battery life.

Memory leaks in background scripts and content scripts accumulate silently across browsing sessions and tabs. A module-scope `Map` that grows on every `webRequest` without eviction, or event listeners added in repeated callbacks without removal, will grow until Chrome kills the extension process or the user notices slowdown. CWE-770 (Allocation of Resources Without Limits or Throttling) and ISO 25010:2011 performance-efficiency.resource-utilisation both cover this pattern. Extensions that trigger Chrome's "High memory usage" warning in the Task Manager get uninstalled.

Why this severity: High because unbounded memory growth from caches or listener accumulation eventually degrades system performance and triggers process termination, losing all in-memory state.

Unused assets and dead code bundled into a production extension inflate the download size every user pays on install and update, slow popup initialization as JavaScript is parsed, and expose development-only test fixtures or debug data that could leak internal implementation details. ISO 25010:2011 performance-efficiency.resource-utilisation applies: every unreferenced file is pure overhead. Source maps included in packaged extensions additionally expose original source code to any user who inspects the `.crx`.

Why this severity: Low because unused assets inflate bundle size and can expose internal paths, but do not directly break functionality or create immediate security risk.

Content scripts declared with `<all_urls>` or `*://*/*` run on every page the user visits, including banking sites, personal email, and internal tooling — even when the extension only needs to operate on one or two specific domains. ISO 25010:2011 performance-efficiency.resource-utilisation identifies this as unnecessary resource consumption: the content script consumes memory and may execute initialization code on every single page load. Beyond performance, overly broad match patterns expand the attack surface: a content script running on banking sites that has a vulnerability can be exploited in that sensitive context.

Why this severity: High because content scripts running on all URLs consume memory on every page load and increase the exploitable surface area of the extension on sensitive sites.

Extension shortcuts that collide with Chrome-reserved combinations (`Ctrl+T`, `Ctrl+W`, `Ctrl+Shift+N`, `Ctrl+L`, `Ctrl+R`, `F5`) get silently dropped by Chrome during registration — the manifest declares them, the extension looks configured, but the shortcut never fires. Users file bug reports about features that do not work, developers waste cycles investigating non-bugs, and support costs climb. Conflicts with OS-level shortcuts (`Cmd+Space`, `Win+L`) cannot be overridden at all and make the extension appear broken on specific platforms.

Why this severity: High because silently dropped shortcuts create bug reports, support load, and the appearance of a broken extension.

Extensions that bury settings inside the popup — with no `options_page` or `options_ui` entry in the manifest — force users to discover configuration through trial and error. Right-clicking the extension icon yields only Chrome's default context menu entries; settings are unreachable through the standard path users expect. Users who lose or reset their popup state cannot recover their preferences, and enterprise administrators managing deployed extensions have no canonical settings surface to document. Discoverability collapses and advanced features go unused.

Why this severity: Low because settings remain reachable through the popup but discoverability suffers for new and returning users.

Context menu items registered with `contexts: ['all']` appear on every right-click — blank page areas, the New Tab page, chrome:// settings, PDFs — cluttering the menu with options that cannot function in those contexts. Users right-clicking to copy text wade past irrelevant extension entries, and Chrome Web Store reviewers flag menu-spamming extensions as a policy concern under the single-purpose and minimal-permission guidelines. On pages where the extension has no host permission, clicking the item produces a silent no-op and looks broken.

Why this severity: Info because over-broad contexts degrade polish and discoverability without breaking core functionality.