Matches are specific

ab-001331 · extension-permissions-security.content-script-isolation.specific-matches

Severity: mediumactive

Why it matters

A content script injecting into <all_urls> runs on every page the user visits — banking portals, health records, internal tools — whether or not the extension has any useful function there. CWE-250 governs this: the content script context executes with unnecessary privileges on irrelevant origins. Chrome's match pattern documentation and OWASP A01 (Broken Access Control) both call for the minimal set of origins. Broad injection also degrades browser performance (each injection is a separate script parse and execution per tab), increases memory usage, and creates a larger attack surface for page-to-extension message injection attacks.

Severity rationale

Medium because over-broad match patterns inject the content script into sensitive origins (banking, health) where the extension has no purpose, compounding any content-script XSS into a cross-origin exposure.

Remediation

Scope matches in manifest.json to the specific domains your extension actually interacts with.

{
  "content_scripts": [{
    "matches": ["https://specific-site.com/*"],
    "js": ["content.js"]
  }]
}

If you genuinely need to support arbitrary pages, combine activeTab with a browser-action click instead of broad static match patterns — this avoids the automatic injection and the install-time warning.

Detection

ID: specific-matches
Severity: medium
What to look for: List all matches patterns in content_scripts from manifest.json. Count the number of broad patterns (<all_urls>, *://*/*) vs specific domain patterns.
Pass criteria: All match patterns are specific to the domains the extension targets. No more than 0 broad patterns like <all_urls> or *://*/* are used unless the extension is explicitly a general-purpose tool. Report the count of match patterns found and their specificity.
Fail criteria: matches contains <all_urls> or *://*/* when the extension is not a general-purpose web tool.
Skip (N/A) when: Extension is a general utility (like a password manager) that must run everywhere.
Detail on fail: "Content script injects into <all_urls>. This impacts performance and privacy on every page visit."

Remediation: Scope your content scripts in manifest.json to specific sites whenever possible.

{ "content_scripts": [{ "matches": ["https://specific-site.com/*"], "js": ["content.js"] }] }

External references

cwe · CWE-250 — Execution with Unnecessary Privileges
owasp:2021 · A01
external · chrome-match-patterns — Chrome Extensions: Match Patterns

Taxons

access-control

History

2026-04-18·v1.0.0·Initial import from extension-permissions-security·automated

Why it matters

Remediation

Scope matches in manifest.json to the specific domains your extension actually interacts with.

{
  "content_scripts": [{
    "matches": ["https://specific-site.com/*"],
    "js": ["content.js"]
  }]
}

Detection

ID: specific-matches
Severity: medium
What to look for: List all matches patterns in content_scripts from manifest.json. Count the number of broad patterns (<all_urls>, *://*/*) vs specific domain patterns.
Pass criteria: All match patterns are specific to the domains the extension targets. No more than 0 broad patterns like <all_urls> or *://*/* are used unless the extension is explicitly a general-purpose tool. Report the count of match patterns found and their specificity.
Fail criteria: matches contains <all_urls> or *://*/* when the extension is not a general-purpose web tool.
Skip (N/A) when: Extension is a general utility (like a password manager) that must run everywhere.
Detail on fail: "Content script injects into <all_urls>. This impacts performance and privacy on every page visit."

Remediation: Scope your content scripts in manifest.json to specific sites whenever possible.

{ "content_scripts": [{ "matches": ["https://specific-site.com/*"], "js": ["content.js"] }] }