Matches are specific

Why it matters

A content script injecting into <all_urls> runs on every page the user visits — banking portals, health records, internal tools — whether or not the extension has any useful function there. CWE-250 governs this: the content script context executes with unnecessary privileges on irrelevant origins. Chrome's match pattern documentation and OWASP A01 (Broken Access Control) both call for the minimal set of origins. Broad injection also degrades browser performance (each injection is a separate script parse and execution per tab), increases memory usage, and creates a larger attack surface for page-to-extension message injection attacks.

Remediation

Scope matches in manifest.json to the specific domains your extension actually interacts with.

{
  "content_scripts": [{
    "matches": ["https://specific-site.com/*"],
    "js": ["content.js"]
  }]
}

If you genuinely need to support arbitrary pages, combine activeTab with a browser-action click instead of broad static match patterns — this avoids the automatic injection and the install-time warning.

Detection

ID: extension-permissions-security.content-script-isolation.specific-matches
Severity: medium
What to look for: List all matches patterns in content_scripts from manifest.json. Count the number of broad patterns (<all_urls>, *://*/*) vs specific domain patterns.
Pass criteria: All match patterns are specific to the domains the extension targets. No more than 0 broad patterns like <all_urls> or *://*/* are used unless the extension is explicitly a general-purpose tool. Report the count of match patterns found and their specificity.
Fail criteria: matches contains <all_urls> or *://*/* when the extension is not a general-purpose web tool.
Skip (N/A) when: Extension is a general utility (like a password manager) that must run everywhere.
Detail on fail: "Content script injects into <all_urls>. This impacts performance and privacy on every page visit."

Remediation: Scope your content scripts in manifest.json to specific sites whenever possible.

{ "content_scripts": [{ "matches": ["https://specific-site.com/*"], "js": ["content.js"] }] }

Why it matters

Remediation

Scope matches in manifest.json to the specific domains your extension actually interacts with.

{
  "content_scripts": [{
    "matches": ["https://specific-site.com/*"],
    "js": ["content.js"]
  }]
}

Detection

ID: extension-permissions-security.content-script-isolation.specific-matches
Severity: medium
What to look for: List all matches patterns in content_scripts from manifest.json. Count the number of broad patterns (<all_urls>, *://*/*) vs specific domain patterns.
Pass criteria: All match patterns are specific to the domains the extension targets. No more than 0 broad patterns like <all_urls> or *://*/* are used unless the extension is explicitly a general-purpose tool. Report the count of match patterns found and their specificity.
Fail criteria: matches contains <all_urls> or *://*/* when the extension is not a general-purpose web tool.
Skip (N/A) when: Extension is a general utility (like a password manager) that must run everywhere.
Detail on fail: "Content script injects into <all_urls>. This impacts performance and privacy on every page visit."

Remediation: Scope your content scripts in manifest.json to specific sites whenever possible.

{ "content_scripts": [{ "matches": ["https://specific-site.com/*"], "js": ["content.js"] }] }

Matches are specific

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Matches are specific

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History