Permission justification in manifest matches actual feature usage

ab-001305 · extension-data-privacy.privacy-disclosures.permission-justification

Severity: highactive

Why it matters

When a manifest requests permissions that are never used in code, the extension presents a larger attack surface than necessary and violates the data minimization principle in GDPR Art. 5(1)(c). Reviewers at the Chrome Web Store explicitly audit permission-to-usage alignment — requesting history or cookies without a clear purpose triggers human review and is a common cause of rejection. CWE-272 addresses least privilege failure: granting more access than required means any future exploit, supply chain attack, or malicious update can leverage permissions that should never have existed. Without documented justification, neither users nor reviewers can verify that permissions are legitimate.

Severity rationale

High because unjustified permissions fail Chrome Web Store review, inflate attack surface, and violate GDPR Art. 5(1)(c) data minimization — any future vulnerability in the extension automatically gains the scope of every undocumented permission.

Remediation

For each permission in manifest.json, add an inline comment explaining its purpose, then verify a matching API call exists in your code:

"permissions": [
  "storage",      // Store user preferences locally
  "tabs",         // Read current tab URL for page analysis
  "activeTab"     // Access focused tab on user action only
]

For any permission without a comment and a matching code reference, remove it immediately. If a permission was added for a planned feature, exclude it until that feature ships — you can re-request permissions in a future manifest version. Check usage with a project-wide search: if chrome.history appears nowhere in your source, history is unused.

Detection

ID: permission-justification
Severity: high
What to look for: For each permission in manifest (tabs, history, cookies, webRequest, clipboardRead, identity, etc.), check whether there is a comment or documentation explaining why it's needed, and verify that the extension actually uses that permission. Common false positives: requesting history but only reading current tab, requesting webRequest for a feature that doesn't exist.
Pass criteria: For each permission in the manifest, list all code locations that invoke the corresponding API. Each permission has a brief comment in manifest explaining its purpose. At least 100% of permissions must have matching code usage for the declared feature.
Fail criteria: Permissions lack comments or explanations. Permissions are requested but never used in code. Explanations don't match actual usage.
Skip (N/A) when: Never — this applies to all extensions.
Detail on fail: Name misaligned permissions. Example: "'history' permission in manifest but no code accesses chrome.history API" or "Manifest comment says 'tabs permission for tab search' but extension only displays active tab, doesn't enumerate tabs."

Remediation: Document each permission in manifest with a brief comment:

"permissions": [
  "storage",     // Store user preferences
  "tabs",        // Get current tab URL for page analysis
  "webRequest"   // No longer used — remove in next version
]

Remove unused permissions immediately.

External references

cwe · CWE-272 — Least Privilege Violation
gdpr · Art. 5(1)(c) — Data minimisation
external · chrome-web-store-user-data-policy — Chrome Web Store User Data Privacy Policy — Permissions must match declared functionality

Taxons

access-control privacy-consent

History

2026-04-18·v1.0.0·Initial import from extension-data-privacy·automated