No global host permissions (all_urls)

ab-001320 · extension-permissions-security.permission-scope-validation.no-all-urls

Severity: highactive

Why it matters

Requesting <all_urls> or *://*/* in host_permissions grants your extension read and write access to every page the user visits — every banking session, every health portal, every private message thread. Chrome's permission-warning system flags this with a maximally alarming install dialog ('Read and change all your data on all websites'), crushing install conversion. Per the Chrome Web Store policy on host permissions, extensions must request only the minimal host access needed. CWE-250 applies: any code executing with <all_urls> access runs at a privilege level that makes a single XSS or supply-chain vulnerability into a total browsing-history exfiltration event.

Severity rationale

High because global host permissions expose all browsing data to the extension process, making any JavaScript compromise within the extension a full browsing-session exfiltration.

Remediation

Replace wildcard host patterns with explicit domains in manifest.json. If you access only GitHub and GitLab, list exactly those.

"host_permissions": [
  "https://github.com/*",
  "https://gitlab.com/*"
]

If you need user-triggered access to arbitrary pages, use activeTab instead of host permissions — it requires no install-time grant and shows no permission warning.

Detection

ID: no-all-urls
Severity: high
What to look for: Check host_permissions (V3) or permissions (V2) for <all_urls>, *://*/*, http://*/*, or https://*/*. Quote the actual host permission entries found in manifest.json.
Pass criteria: The extension requests at most 0 global host patterns and no more than 5 specific host permission entries. It uses specific host permissions (e.g., https://*.google.com/) or uses activeTab. It does NOT request global access to all URLs. Report even on pass: list all host permissions found and their specificity.
Fail criteria: <all_urls> or *://*/* is present in permissions. Do not pass when broad patterns like https://*/* are used as a workaround for <all_urls>.
Skip (N/A) when: The extension explicitly requires global access by definition (e.g., a password manager or ad blocker), BUT this must be evident from the project type. Even then, mark as fail if not strictly justified.
Detail on fail: "Extension requests access to <all_urls>. This grants access to all browsing data and is a major security risk."

Remediation: Restrict host permissions in manifest.json to only the domains you need.

"host_permissions": [
  "https://github.com/*",
  "https://gitlab.com/*"
]

External references

cwe · CWE-250 — Execution with Unnecessary Privileges
owasp:2021 · A01
external · chrome-host-permissions — Chrome Extensions: Host Permissions

Taxons

access-control

History

2026-04-18·v1.0.0·Initial import from extension-permissions-security·automated