externally_connectable is restricted

ab-001336 · extension-permissions-security.host-permissions-minimization.externally-connectable-restricted

Severity: highactive

Why it matters

CWE-346 (Origin Validation Error) and CWE-284 (Improper Access Control) both apply to an externally_connectable configuration that uses wildcards. With ids: ['*'] or matches: ['*://*/*'], any installed extension or any website can send messages directly to your extension's background script via chrome.runtime.connect or chrome.runtime.sendMessage. This turns your background script's message handlers into a public API callable by adversaries. OWASP A01 (Broken Access Control) governs this: externally_connectable is an explicit access grant and must enumerate specific callers. Chrome's documentation is explicit that wildcard ids and matches are dangerous defaults.

Severity rationale

High because a wildcard `externally_connectable` configuration makes the extension's background script callable by any website or extension, converting privileged background logic into a publicly accessible attack surface.

Remediation

Enumerate specific extension IDs and specific domain patterns in manifest.json externally_connectable. Never use * in ids or <all_urls> in matches.

"externally_connectable": {
  "ids": ["your-companion-extension-id-here"],
  "matches": ["https://yourdomain.com/*"]
}

If no external connections are needed, omit externally_connectable from the manifest entirely — its absence means only same-extension content scripts can message the background.

Detection

ID: extension-permissions-security.host-permissions-minimization.externally-connectable-restricted
Severity: high
What to look for: Quote the externally_connectable configuration from manifest.json. Enumerate all entries in ids and matches arrays. Check whether they contain specific values or wildcards.
Pass criteria: externally_connectable ids lists specific extension IDs and matches lists specific domain patterns — no wildcards. No more than 0 wildcard entries (* in ids or *://*/* in matches). Quote the actual configuration found.
Fail criteria: matches contains *://*/* or <all_urls>. ids contains *.
Skip (N/A) when: externally_connectable is not used in manifest.
Detail on fail: "externally_connectable allows connection from any website/extension. This is a massive security hole."
Remediation: Only allow specific extension IDs or specific domains (e.g., your own website) in manifest.json to connect to your extension.
```
"externally_connectable": { "ids": ["abc123"], "matches": ["https://yourdomain.com/*"] }
```

External references

cwe · CWE-346 — Origin Validation Error
cwe · CWE-284 — Improper Access Control
owasp:2021 · A01
external · chrome-externally-connectable — Chrome Extensions: externally_connectable

Taxons

access-control

History

2026-04-18·v1.0.0·Initial import from extension-permissions-security·automated