Manifest V3 checklist

Manifest V3 pre-submission checklist for Chrome extensions

Check that manifest.json is valid, at the ZIP root, uses Manifest V3, and references files that actually exist in your package.

Run local ZIP scan

Guide

What to check

Package the ZIP correctly

Chrome Web Store expects manifest.json at the ZIP root. Do not zip the parent project folder unless manifest.json is directly inside that root. Scan the exact release ZIP, not a development folder.

Validate manifest references

Background service workers, popup files, options pages, content scripts, icons, web accessible resources, and DNR rules should all point to files that exist in the submitted ZIP.

Review permissions and CSP

Broad host permissions, sensitive APIs, and unsafe CSP declarations should be minimized and justified before submission. Many valid extensions still need clear policy explanations.

Checklist

Action checklist

  • Set manifest_version to 3.
  • Place manifest.json at the ZIP root.
  • Verify background service worker paths exist in the ZIP.
  • Verify action popup, options page, content scripts, icons, and web accessible resources exist.
  • Remove unused permissions and narrow host permissions when possible.
  • Check extension page CSP for unsafe-eval and remote script assumptions.
  • Prepare privacy disclosure and single-purpose explanation before submission.

Examples

Common cases this page helps with

Missing popup file

manifest.json references popup.html, but the production build outputs popup/index.html. The scanner reports the missing reference so the manifest or build path can be corrected.

Missing icon path

The manifest references icons/icon128.png, but the ZIP contains assets/icon128.png. The scanner flags the path mismatch before upload.

Development-only files

A local build works because source files exist, but the submitted ZIP lacks generated content script files. Scan the release ZIP to catch this mismatch.

FAQ

Frequently asked questions

Why does ZIP root packaging matter?

Chrome Web Store evaluates the submitted package. If manifest.json is nested inside a folder instead of at the ZIP root, the package can fail before deeper review.

Can the scanner validate every Chrome policy?

No. It checks static package signals. You still need to review listing metadata, privacy practices, and actual extension behavior.

Should I rerun the scanner after each fix?

Yes. Rebuild the production ZIP after changes and scan the rebuilt package, because bundler output can change paths and generated files.

Related guides

Continue review

Chrome Web Store rejection checker Host permissions and privacy review checklist How the scanner works Run local ZIP scan