To use most extension APIs and features, you must declare your extension's intent in the manifest's permissions fields. Extensions can request the following categories of permissions, specified using the respective manifest keys:
"permissions"- Contains items from a list of known strings. Changes may trigger a warning.
"optional_permissions"- Granted by the user at runtime, instead of at install time.
"content_scripts.matches"- Contains one or more match patterns that allows content scripts to inject into one or more hosts. Changes may trigger a warning.
"host_permissions"- Contains one or more match patterns that give access to one or more hosts. Changes may trigger a warning.
"optional_host_permissions"- Granted by the user at runtime, instead of at install time.
Permissions help to limit damage if your extension is compromised by malware. Some permission warning are displayed to users for their consent before installation or at runtime, as detailed in Permission with warnings.
Consider using optional permissions wherever the functionality of your extension permits, to provide users with informed control over access to resources and data.
If an API requires a permission, its documentation explains how to declare it. For an example, see Storage API.
Manifest
The following is an example of the permissions section of a manifest file:
manifest.json:
{
"name": "Permissions Extension",
...
"permissions": [
"activeTab",
"contextMenus",
"storage"
],
"optional_permissions": [
"topSites",
],
"host_permissions": [
"https://www.developer.chrome.com/*"
],
"optional_host_permissions":[
"https://*/*",
"http://*/*"
],
...
"manifest_version": 3
}
Host permissions
Host permissions allow extensions to interact with the URL's matching patterns. Some Chrome APIs require host permissions in addition to their own API permissions, which are documented on each reference page. Here are some examples:
- Make
fetch()requests from the extension service worker and extension pages. - Read and query the sensitive tab properties (url, title, and favIconUrl) using the
chrome.tabsAPI. - Inject a content script programmatically.
- Monitor and control the network requests with the
chrome.webRequestAPI. - Access cookies with the
chrome.cookiesAPI. - Redirect and modify requests and response headers using
chrome.declarativeNetRequestAPI.
Permissions with warnings
When an extension requests multiple permissions, and many of them display warnings on installation, the user will see a list of warnings, like in the following example: