Permissions and privacy review

Chrome extension host permissions and privacy review checklist

Review broad host permissions, sensitive Chrome APIs, privacy disclosure reminders, and Developer Dashboard fields before publishing.

Run local ZIP scan

Guide

What to check

Broad host permissions

Patterns such as <all_urls> and *://*/* may increase review scrutiny and user warning impact. Use narrower host patterns, optional permissions, or activeTab when they fit the extension purpose.

Sensitive APIs

Permissions such as tabs, cookies, history, debugger, identity, webRequest, and scripting should support the extension single purpose and should be explained clearly in user-facing copy.

Privacy disclosure reminder

The ZIP scanner cannot inspect Developer Dashboard privacy fields, so it provides reminders when permissions may involve user data, browsing activity, authentication, or host access.

Checklist

Action checklist

  • Remove unused permissions from manifest.json.
  • Narrow host permissions to required domains when possible.
  • Use optional permissions for features users can enable later.
  • Check whether activeTab can replace broad host access.
  • Prepare a privacy policy if the extension handles user data.
  • Make Developer Dashboard data-use disclosures match the extension behavior.
  • Add reviewer notes for permissions that are not obvious from the UI.

Examples

Common cases this page helps with

Unnecessary <all_urls>

A screenshot helper may only need access to the current active tab after user action, not every website all the time.

Sensitive API without explanation

A history or cookies permission can be valid, but the listing and privacy disclosures should explain why the permission is necessary.

Broad scripting access

If scripting is only used on one product domain, narrow host permissions to that domain instead of all HTTP and HTTPS pages.

FAQ

Frequently asked questions

Are broad host permissions always wrong?

No. They may be valid for some extensions, but they increase review scrutiny and user warning impact. Use the narrowest scope that supports the single purpose.

Can the scanner inspect Developer Dashboard disclosures?

No. It only reads the ZIP. You must separately check privacy fields, listing copy, and reviewer notes in the Chrome Web Store dashboard.

What should I do when a sensitive permission is required?

Keep it, but document why it is necessary, make the user-facing behavior clear, and ensure privacy disclosures match actual data use.

Related guides

Continue review

Run the local ZIP scanner Manifest V3 pre-submission checklist How the scanner works Run local ZIP scan