activeTab is prioritized over static permissions

ab-001321 · extension-permissions-security.permission-scope-validation.active-tab-prioritized

Severity: highactive

Why it matters

Static host permissions show a scary install-time warning ('Read and change your data on specific websites') and persist even when the user hasn't triggered the extension. activeTab, by contrast, grants temporary access only to the tab that is active at the moment the user explicitly invokes the extension — no persistent grant, no install warning, and no access to background tabs. CWE-250 governs this: a static host permission is an execution privilege that persists indefinitely, while activeTab is just-in-time. Chrome's published permission guidelines strongly prefer activeTab for any user-gesture-driven workflow.

Severity rationale

High because static host permissions persist beyond user intent, granting background access to page content even when the extension is idle — an unnecessary privilege escalation.

Remediation

Replace static host permissions with activeTab in manifest.json for any functionality triggered by a browser-action click, context menu item, or keyboard shortcut.

{ "permissions": ["activeTab"] }

Then in your background script, call chrome.tabs.query({ active: true, currentWindow: true }) inside the action click handler — the activeTab grant is available only within that user gesture's event scope.

Detection

ID: active-tab-prioritized
Severity: high
What to look for: Enumerate all user interaction triggers in the extension: browser action clicks, context menu items, keyboard shortcuts. For each, classify whether it uses activeTab or static host permissions. Check manifest.json permissions for activeTab presence.
Pass criteria: activeTab is used for user-triggered page interaction instead of static host permissions. At least 1 user-gesture-triggered flow relies on activeTab rather than broad host access. Confirm by checking manifest.json permissions array.
Fail criteria: The extension functions by user invocation but requests static host permissions for the site instead of using activeTab.
Skip (N/A) when: The extension runs automatically in the background without user interaction (e.g., an automatic coupon finder).
Detail on fail: "Extension uses static host permissions for page interaction but could use 'activeTab' to improve security and privacy."
Remediation: The activeTab permission in manifest.json grants temporary access to the currently active tab when the user invokes the extension. It eliminates the need for scary installation warnings.
```
{ "permissions": ["activeTab"] }
```

External references

cwe · CWE-250 — Execution with Unnecessary Privileges
owasp:2021 · A01
external · chrome-active-tab — Chrome Extensions: activeTab Permission

Taxons

access-control

History

2026-04-18·v1.0.0·Initial import from extension-permissions-security·automated

Why it matters

Remediation

Replace static host permissions with activeTab in manifest.json for any functionality triggered by a browser-action click, context menu item, or keyboard shortcut.

{ "permissions": ["activeTab"] }

Detection

ID: active-tab-prioritized
Severity: high
What to look for: Enumerate all user interaction triggers in the extension: browser action clicks, context menu items, keyboard shortcuts. For each, classify whether it uses activeTab or static host permissions. Check manifest.json permissions for activeTab presence.
Pass criteria: activeTab is used for user-triggered page interaction instead of static host permissions. At least 1 user-gesture-triggered flow relies on activeTab rather than broad host access. Confirm by checking manifest.json permissions array.
Fail criteria: The extension functions by user invocation but requests static host permissions for the site instead of using activeTab.
Skip (N/A) when: The extension runs automatically in the background without user interaction (e.g., an automatic coupon finder).
Detail on fail: "Extension uses static host permissions for page interaction but could use 'activeTab' to improve security and privacy."
Remediation: The activeTab permission in manifest.json grants temporary access to the currently active tab when the user invokes the extension. It eliminates the need for scary installation warnings.
```
{ "permissions": ["activeTab"] }
```