CWE-250 (Execution with Unnecessary Privileges) is the direct consequence of over-broad Chrome extension permissions. Every extra permission listed in manifest.json expands your attack surface: a supply-chain compromise of one dependency can exfiltrate all browsing history if history is listed, or silently install other extensions if management is present. Chrome's permission-warning system means excessive permissions also trigger alarming install dialogs that depress conversion rates and erode user trust. OWASP A01 (Broken Access Control) governs this: the extension should operate with the minimum privilege necessary. Unused permissions discovered during Chrome Web Store review will block publication.
Critical because a compromised extension with over-broad permissions — such as `tabs` or `management` — can silently exfiltrate browsing history or install malware, with no user-visible indication.
Audit every entry in manifest.json permissions against actual chrome.* API calls in the codebase. Remove any permission with zero call sites. Downgrade tabs to activeTab when the extension only acts on the current page at user request.
{
"permissions": ["activeTab", "storage"]
}
For host access, prefer activeTab over static host permissions — it requests no install-time warning and grants access only when the user clicks the extension icon.
ID: extension-permissions-security.permission-scope-validation.permissions-minimal
Severity: critical
What to look for: Enumerate all permissions in manifest.json permissions array. For each permission, search the codebase for the corresponding chrome.* API call. Count the ratio of used permissions to total requested permissions. Look for "super-permissions" like tabs, management, debugger, history, bookmarks that are requested but seemingly unused or over-broad for the described functionality.
Pass criteria: At least 100% of requested permissions are clearly used in the codebase — every entry in permissions maps to at least 1 corresponding API call. No "super-permissions" are requested when a narrower permission (like activeTab) would suffice. Report even on pass: report the count of permissions verified and the usage mapping.
Fail criteria: Permissions are requested but not used (e.g., management is in manifest but chrome.management is never called), or tabs is requested when the extension only interacts with the active tab upon user action. Do not pass when permission justification is inferred but not confirmed by code search.
Skip (N/A) when: Never — strict permission scoping is essential.
Detail on fail: "Permission 'tabs' is requested but 'activeTab' appears sufficient for this functionality" or "Permission 'management' requested but no API calls found"
Remediation: Remove unused permissions from manifest.json. Downgrade broad permissions to specific ones. Use activeTab instead of tabs + host permissions if you only need access when the user clicks the extension.
{
"permissions": ["activeTab", "storage"]
}
Cross-reference: For host permission scoping, see the unused-removed check in the Host Permissions Minimization category.