Data collection limited to minimum necessary for stated functionality
Why it matters
GDPR Art. 5(1)(c) codifies data minimization as a legal obligation, not a guideline — collecting more data than your declared function requires is itself a violation. Chrome extensions that request history, cookies, or webRequest permissions for features that do not use them expand the blast radius of any future compromise and invite rejection from store reviewers performing permission audits. CCPA §1798.100 gives users the right to know what data is collected; collecting data not mentioned in your listing undermines that right and exposes you to regulatory action. Overpermissioned extensions are also a primary signal in automated Chrome Web Store policy enforcement.
Severity rationale
High because unnecessary permissions and extraneous data collection expand the attack surface of every future vulnerability — a bug in an extension with `history` access is far more damaging than the same bug without it.
Remediation
Audit your manifest.json permissions against actual API call sites. Remove any permission without a matching chrome.* API call in your codebase:
// BEFORE — overpermissioned
"permissions": ["history", "cookies", "storage", "tabs", "webRequest"]
// AFTER — scoped to actual usage
"permissions": ["storage", "tabs"]
Also remove background telemetry not disclosed in your store listing:
// Remove if not disclosed in privacy policy
chrome.tabs.onActivated.addListener((info) => {
analytics.track('tab_switched'); // DELETE
});
If you find permissions you intend to use later, remove them now and re-request when the feature ships.
Detection
-
ID:
minimal-collection -
Severity:
high -
What to look for: Compare the extension's declared purpose (manifest
description, store listing, privacy policy) with what data is actually collected. Check manifest permissions — do they exceed what the extension needs? Examine background scripts and content scripts for any telemetry, logging, or analytics that goes beyond the stated feature set. -
Pass criteria: Count every permission in the manifest and list all code references to each permission's API. Requested permissions match the stated functionality with at least 90% actively used. Data collection is narrowly scoped — background scripts only collect what is needed for the declared feature. No extraneous telemetry or analytics beyond what's disclosed to the user.
-
Fail criteria: Manifest requests permissions for features that don't exist (e.g.,
tabspermission but extension never reads active tab). Extensive telemetry or analytics collected that is not mentioned in the privacy policy or store listing. Background script logs global browsing data unrelated to extension functionality. -
Skip (N/A) when: Never — minimal collection principle applies to all extensions.
-
Detail on fail: Name the unnecessary permissions or collections. Example:
"Manifest requests 'history' permission but extension never accesses browsing history. Adds unnecessary attack surface."or"Background script collects all visited URLs hourly but feature only requires processing current page URL." -
Remediation: Remove unused permissions from manifest:
// BEFORE (overpermissioned) "permissions": ["history", "cookies", "storage", "tabs", "webRequest"] // AFTER (minimal) "permissions": ["storage", "tabs"]Remove telemetry unrelated to core functionality:
// Remove this if not disclosed chrome.tabs.onActivated.addListener((activeInfo) => { analytics.track('tab_switched'); });
External references
- gdpr · Art. 5(1)(c) — Data minimisation principle
- ccpa · §1798.100 — Consumer right to know what personal information is collected
- external · chrome-web-store-user-data-policy — Chrome Web Store User Data Privacy Policy — Limited Use requirement
- nist:rev5 · AC-3 — Access Enforcement / least privilege
- cwe · CWE-272 — Least Privilege Violation
- owasp:2021 · A04 — Insecure Design
Taxons
History
- 2026-04-18·v1.0.0·Initial import from extension-data-privacy·automated