Skip to main content

Unused host permissions removed

ab-001335 · extension-permissions-security.host-permissions-minimization.unused-removed
Severity: mediumactive

Why it matters

CWE-250 governs unused host permissions: an extension holding a host permission for a domain it never contacts has an unnecessarily wide privilege envelope. If the extension is compromised — via a malicious dependency, an XSS in extension pages, or a supply-chain attack — it can make credentialed requests to any domain in its host_permissions list, not just the domains it was designed for. Chrome Web Store review specifically checks for host permissions that aren't justified by the extension's functionality. OWASP A01 (Broken Access Control) applies: the least-privilege principle requires pruning grants that are no longer needed.

Severity rationale

Medium because unused host permissions silently expand the blast radius of any extension compromise, allowing unauthorized cross-origin requests to domains that were never part of the extension's design.

Remediation

Audit each host_permissions entry against fetch(), XMLHttpRequest, and webRequest listener calls in the codebase. Remove any domain with zero call sites.

"host_permissions": ["https://api.yourdomain.com/*"]

Run grep -r 'api.yourdomain.com' src/ before each release to confirm the permission is still actively used. If a permission was for a feature that was removed, delete it from the manifest in the same commit.

Detection

  • ID: extension-permissions-security.host-permissions-minimization.unused-removed

  • Severity: medium

  • What to look for: List all host_permissions in manifest.json. For each, search the codebase for fetch() calls, XMLHttpRequest, or webRequest listeners targeting that domain. Count the ratio of used hosts to total requested hosts.

  • Pass criteria: At least 100% of requested hosts are actually communicated with in the codebase. Every host_permissions entry maps to at least 1 fetch/request call to that domain. Report the count of host permissions verified.

  • Fail criteria: Hosts listed in manifest that are never contacted in the codebase.

  • Skip (N/A) when: Hard to determine dynamic fetch targets from runtime configuration.

  • Detail on fail: "Host permission 'example.com' requested but no code appears to communicate with it."

  • Remediation: Prune your host_permissions list in manifest.json regularly.

    "host_permissions": ["https://api.yourdomain.com/*"]

External references

Taxons

access-control

History