Chrome Extension Security Checklist: 15-Item Guide for Safe Extensions

Q: What permissions should I avoid requesting?

Avoid broad permissions like 'all_urls', 'webRequest' (blocking), and 'tabs' unless essential. Users see permission warnings and may reject extensions with excessive permissions. Request permissions only when needed using optional_permissions.

TL;DR

This 15-item checklist covers the most critical security issues in browser extensions: permission management, code security, and data handling. 5 critical items must be fixed before launch, 7 important items within the first week, and 3 recommended items when you can.

Quick Checklist (5 Critical Items)

Request minimum permissionsAvoid broad permissions like all_urls when specific patterns work

Use Manifest V3Better security with service workers and restricted remote code

Never execute remote codeAll code must be bundled in your extension

Avoid eval and innerHTMLNever use eval() or innerHTML with untrusted content

Sanitize all web page dataContent scripts receive untrusted data

Permission Management 4

Request minimum permissionsOnly request permissions you need. Avoid broad permissions like all_urls when specific host patterns work. How to minimize permissions

Use optional_permissionsRequest permissions at runtime when needed rather than at install. Better user experience and trust. How to use optional permissions

Explain why you need permissionsUsers see permission warnings. Document why each permission is necessary in your listing description. How to document permissions

Review permissions on updatesEach update, verify you still need all permissions. Remove unused permissions to maintain user trust. How to audit permissions

Code Security 4

Use Manifest V3Migrate from Manifest V2. V3 has better security with service workers and restricted remote code execution. How to migrate to Manifest V3

Never execute remote codeDo not fetch and execute JavaScript from external servers. All code must be bundled in your extension. How to bundle extension code

Avoid eval and innerHTMLNever use eval() or innerHTML with untrusted content. Use textContent or DOM APIs instead. How to prevent XSS in extensions

Set strict Content Security PolicyConfigure CSP in manifest.json to prevent XSS. Avoid unsafe-eval and unsafe-inline directives. How to configure extension CSP

Data Handling 4

Sanitize all web page dataNever trust content from web pages. Content scripts receive untrusted data that could be malicious. How to sanitize extension data

Validate message passingValidate all messages between content scripts, background scripts, and popups. Check origin and format. How to secure message passing

Encrypt sensitive stored datachrome.storage is not encrypted by default. Encrypt sensitive data before storing. How to encrypt extension storage

Clear data on uninstallDo not leave user data behind. Clean up local storage and any synced data when appropriate. How to cleanup extension data

Privacy and Trust 3

Publish a privacy policyChrome Web Store requires a privacy policy for extensions requesting sensitive permissions. How to create a privacy policy

Minimize data collectionOnly collect data essential for functionality. Never sell user data or include tracking without consent. How to minimize data collection

Be transparent about functionalityClearly describe what your extension does. Hidden functionality violates Chrome Web Store policies. How to write extension description

Extensions Are High-Trust Software

Browser extensions run with significant privileges. They can read page content, modify requests, access browsing history, and more. Users install extensions trusting they will not abuse this access.

A security vulnerability in your extension could expose user data across all websites they visit. Take security seriously, minimize your attack surface, and be transparent about what your extension does.

Why does Chrome require Manifest V3?

Manifest V3 improves security by replacing persistent background pages with service workers, limiting remote code execution, and requiring declarative network request handling. It reduces the attack surface of extensions.

What permissions should I avoid requesting?

Avoid broad permissions like all_urls, webRequest (blocking), and tabs unless essential. Users see permission warnings and may reject extensions with excessive permissions. Request permissions only when needed using optional_permissions.

Can my extension be removed for security issues?

Yes. Chrome Web Store regularly reviews extensions and removes those with security vulnerabilities, excessive permissions, or policy violations. Follow security best practices to avoid removal.

TL;DR

Quick Checklist (5 Critical Items)

Permission Management 4

Code Security 4

Data Handling 4

Privacy and Trust 3

Extensions Are High-Trust Software

Why does Chrome require Manifest V3?

What permissions should I avoid requesting?

Can my extension be removed for security issues?

Related Articles

API Security Checklist

React Security Checklist

Content Security Policy

Security Scan for Your Backend

Chrome Extension Security Checklist: 15-Item Guide for Safe Extensions