Browser permission dialogs are terse and technical — users confronted with "This extension wants to read your browsing history" without any explanation default to denial or, worse, approval without understanding. GDPR Art. 12 requires privacy information to be provided in a concise, transparent, and easily accessible form. Without user-facing help text in the options page or popup, users cannot make informed choices about which permissions to allow, cannot verify that the extension's permissions match its stated purpose, and are more likely to distrust the extension or report it as suspicious. Transparent permission explanations are the difference between an extension users recommend and one they uninstall.
Info because absent help text degrades user trust and informed consent rather than creating a direct technical vulnerability — but it is a signal that the extension has not considered privacy communication as part of its design.
Add a "Permissions" section to your options.html explaining each non-trivial permission in plain language:
<section id="permissions-explainer">
<h3>Why we need these permissions</h3>
<dl>
<dt>Camera</dt>
<dd>Activated only when you start a video call. We never record without your action.</dd>
<dt>Storage</dt>
<dd>Your preferences are stored locally on this device. Nothing is sent to our servers.</dd>
<dt>Active Tab</dt>
<dd>We read the current page URL only when you click the extension icon.</dd>
</dl>
</section>
Keep explanations specific to what happens, not what the API is called. If a permission is used rarely, note when it activates.
ID: extension-data-privacy.privacy-disclosures.permission-help-text
Severity: info
What to look for: Check the extension's options page, popup, or first-run experience for user-facing help text or tooltips that explain why each permission is needed. Look for descriptions like "Camera access needed for video calls" or "Location required to show nearby content." Verify these explanations are clear and honest.
Pass criteria: Count all permissions that require user-facing explanation. For each major permission (camera, microphone, location, contacts, storage), there is user-facing help text explaining why it's needed. At least 80% of non-trivial permissions must have visible explanations. Text appears in options page, popup hover, or onboarding.
Fail criteria: No help text provided for permissions. Users are confused about why permissions are requested. Or help text is vague or misleading.
Skip (N/A) when: Extension requests no permissions, or permissions are trivial (storage only).
Detail on fail: "No explanation provided for why camera permission is requested — users see only the system prompt" or "Help text for microphone permission is vague: 'Required for functionality' provides no context."
Remediation: Add clear, user-facing help text for each permission. In options.html:
<section>
<h3>Permissions & Why We Need Them</h3>
<div class="permission-item">
<strong>Camera</strong>
<p>We request camera access to enable video calls. Your camera is only activated when you start a call, and we never record without your consent.</p>
</div>
<div class="permission-item">
<strong>Microphone</strong>
<p>Audio input is necessary for voice and video calls. Your microphone is always under your control.</p>
</div>
<div class="permission-item">
<strong>Storage</strong>
<p>We store your preferences and call history locally on your device. No data is sent to external servers.</p>
</div>
</section>
Or add tooltips to the popup:
document.querySelector('#cameraButton').addEventListener('mouseover', () => {
showTooltip('Camera access lets you start video calls');
});