Permissions are restricted to essential functionality only

ab-001346 · extension-store-readiness.policy-compliance.permissions-minimal

Severity: criticalactive

Why it matters

Overly broad permissions like <all_urls> give an extension read and write access to every website a user visits — every bank page, every login form, every private document. Chrome Web Store policy (chrome-cws-permissions-policy) enforces least-privilege; extensions with unjustified broad permissions fail review. Beyond review, broad permissions are the primary attack surface for supply-chain compromise: if your extension is hijacked, <all_urls> turns it into a credential harvester. OWASP A01 (Broken Access Control) and CWE-272 (Least Privilege Violation) both apply.

Severity rationale

Critical because unjustified `<all_urls>` grants full read/write access to all sites the user visits, enabling credential theft on account takeover if the extension is compromised.

Remediation

Audit every entry in permissions and host_permissions against your extension's actual functionality. Remove anything you don't use. Narrow broad host patterns to specific origins.

{
  "permissions": ["tabs", "storage"],
  "host_permissions": ["https://api.example.com/*"]
}

Replace <all_urls> with explicit origins. If you need content script access on user-initiated pages, use activeTab instead — it grants access only to the tab the user explicitly interacts with, without persistent broad permission.

Detection

ID: permissions-minimal
Severity: critical
What to look for: Examine the permissions and host_permissions arrays in the manifest. For each permission, verify it is necessary for the extension's stated purpose. Check for overly broad host permissions (e.g., <all_urls>, http://*/*, https://*/*) that could suggest the extension accesses data beyond what's needed.
Pass criteria: Enumerate all permissions in permissions and host_permissions arrays. Count the total. All declared permissions are justified by the extension's functionality. 0 unnecessary broad permissions found. Permissions are as specific as possible (e.g., https://example.com/* instead of <all_urls>). Report even on pass: "N permissions declared, all justified."
Fail criteria: At least 1 permission includes unnecessary broad access (e.g., <all_urls> for a tab manager that doesn't need it), or permissions don't match the stated purpose. Do not pass if <all_urls> is present without clear justification in the extension's core functionality.
Cross-reference: For broader security review of extension permissions and data access patterns, the API Security audit covers authentication and authorization practices.
Skip (N/A) when: Never — permission minimization is a Chrome Web Store policy requirement.
Detail on fail: Specify overly broad or unnecessary permissions. Example: "Permission <all_urls> requested but extension only manages tabs (doesn't need to access website content)" or "cookie permission declared but extension has no cookie-related functionality".
Remediation: Remove unnecessary permissions. Narrow broad permissions:
```
{
  "permissions": ["tabs", "storage"],
  "host_permissions": ["https://example.com/*"]
}
```
Only request permissions you actually use. tabs for tab management, storage for data persistence, scripting for content scripts, etc. Avoid <all_urls> unless absolutely necessary.

External references

cwe · CWE-272 — Least Privilege Violation
owasp:2021 · A01 — Broken Access Control
external · chrome-cws-permissions-policy — Chrome Web Store — Permissions Policy (minimal permissions required)

Taxons

access-control regulatory-conformance

History

2026-04-18·v1.0.0·Initial import from extension-store-readiness·automated

Why it matters

Remediation

Audit every entry in permissions and host_permissions against your extension's actual functionality. Remove anything you don't use. Narrow broad host patterns to specific origins.

{
  "permissions": ["tabs", "storage"],
  "host_permissions": ["https://api.example.com/*"]
}

Detection

ID: permissions-minimal
Severity: critical
What to look for: Examine the permissions and host_permissions arrays in the manifest. For each permission, verify it is necessary for the extension's stated purpose. Check for overly broad host permissions (e.g., <all_urls>, http://*/*, https://*/*) that could suggest the extension accesses data beyond what's needed.
Pass criteria: Enumerate all permissions in permissions and host_permissions arrays. Count the total. All declared permissions are justified by the extension's functionality. 0 unnecessary broad permissions found. Permissions are as specific as possible (e.g., https://example.com/* instead of <all_urls>). Report even on pass: "N permissions declared, all justified."
Fail criteria: At least 1 permission includes unnecessary broad access (e.g., <all_urls> for a tab manager that doesn't need it), or permissions don't match the stated purpose. Do not pass if <all_urls> is present without clear justification in the extension's core functionality.
Cross-reference: For broader security review of extension permissions and data access patterns, the API Security audit covers authentication and authorization practices.
Skip (N/A) when: Never — permission minimization is a Chrome Web Store policy requirement.
Detail on fail: Specify overly broad or unnecessary permissions. Example: "Permission <all_urls> requested but extension only manages tabs (doesn't need to access website content)" or "cookie permission declared but extension has no cookie-related functionality".
Remediation: Remove unnecessary permissions. Narrow broad permissions:
```
{
  "permissions": ["tabs", "storage"],
  "host_permissions": ["https://example.com/*"]
}
```
Only request permissions you actually use. tabs for tab management, storage for data persistence, scripting for content scripts, etc. Avoid <all_urls> unless absolutely necessary.