Permissions are restricted to essential functionality only

Why it matters

Overly broad permissions like <all_urls> give an extension read and write access to every website a user visits — every bank page, every login form, every private document. Chrome Web Store policy (chrome-cws-permissions-policy) enforces least-privilege; extensions with unjustified broad permissions fail review. Beyond review, broad permissions are the primary attack surface for supply-chain compromise: if your extension is hijacked, <all_urls> turns it into a credential harvester. OWASP A01 (Broken Access Control) and CWE-272 (Least Privilege Violation) both apply.

Remediation

Audit every entry in permissions and host_permissions against your extension's actual functionality. Remove anything you don't use. Narrow broad host patterns to specific origins.

{
  "permissions": ["tabs", "storage"],
  "host_permissions": ["https://api.example.com/*"]
}

Replace <all_urls> with explicit origins. If you need content script access on user-initiated pages, use activeTab instead — it grants access only to the tab the user explicitly interacts with, without persistent broad permission.

Detection

ID: extension-store-readiness.policy-compliance.permissions-minimal
Severity: critical
What to look for: Examine the permissions and host_permissions arrays in the manifest. For each permission, verify it is necessary for the extension's stated purpose. Check for overly broad host permissions (e.g., <all_urls>, http://*/*, https://*/*) that could suggest the extension accesses data beyond what's needed.
Pass criteria: Enumerate all permissions in permissions and host_permissions arrays. Count the total. All declared permissions are justified by the extension's functionality. 0 unnecessary broad permissions found. Permissions are as specific as possible (e.g., https://example.com/* instead of <all_urls>). Report even on pass: "N permissions declared, all justified."
Fail criteria: At least 1 permission includes unnecessary broad access (e.g., <all_urls> for a tab manager that doesn't need it), or permissions don't match the stated purpose. Do not pass if <all_urls> is present without clear justification in the extension's core functionality.
Cross-reference: For broader security review of extension permissions and data access patterns, the API Security audit covers authentication and authorization practices.
Skip (N/A) when: Never — permission minimization is a Chrome Web Store policy requirement.
Detail on fail: Specify overly broad or unnecessary permissions. Example: "Permission <all_urls> requested but extension only manages tabs (doesn't need to access website content)" or "cookie permission declared but extension has no cookie-related functionality".
Remediation: Remove unnecessary permissions. Narrow broad permissions:
```
{
  "permissions": ["tabs", "storage"],
  "host_permissions": ["https://example.com/*"]
}
```
Only request permissions you actually use. tabs for tab management, storage for data persistence, scripting for content scripts, etc. Avoid <all_urls> unless absolutely necessary.

Why it matters

Remediation

Audit every entry in permissions and host_permissions against your extension's actual functionality. Remove anything you don't use. Narrow broad host patterns to specific origins.

{
  "permissions": ["tabs", "storage"],
  "host_permissions": ["https://api.example.com/*"]
}

Detection

ID: extension-store-readiness.policy-compliance.permissions-minimal
Severity: critical
What to look for: Examine the permissions and host_permissions arrays in the manifest. For each permission, verify it is necessary for the extension's stated purpose. Check for overly broad host permissions (e.g., <all_urls>, http://*/*, https://*/*) that could suggest the extension accesses data beyond what's needed.
Pass criteria: Enumerate all permissions in permissions and host_permissions arrays. Count the total. All declared permissions are justified by the extension's functionality. 0 unnecessary broad permissions found. Permissions are as specific as possible (e.g., https://example.com/* instead of <all_urls>). Report even on pass: "N permissions declared, all justified."
Fail criteria: At least 1 permission includes unnecessary broad access (e.g., <all_urls> for a tab manager that doesn't need it), or permissions don't match the stated purpose. Do not pass if <all_urls> is present without clear justification in the extension's core functionality.
Cross-reference: For broader security review of extension permissions and data access patterns, the API Security audit covers authentication and authorization practices.
Skip (N/A) when: Never — permission minimization is a Chrome Web Store policy requirement.
Detail on fail: Specify overly broad or unnecessary permissions. Example: "Permission <all_urls> requested but extension only manages tabs (doesn't need to access website content)" or "cookie permission declared but extension has no cookie-related functionality".
Remediation: Remove unnecessary permissions. Narrow broad permissions:
```
{
  "permissions": ["tabs", "storage"],
  "host_permissions": ["https://example.com/*"]
}
```
Only request permissions you actually use. tabs for tab management, storage for data persistence, scripting for content scripts, etc. Avoid <all_urls> unless absolutely necessary.

Permissions are restricted to essential functionality only

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History

Permissions are restricted to essential functionality only

Why it matters

Severity rationale

Remediation

Detection

External references

Taxons

History