Chrome Extension Permissions Explained (and How to Ask for Fewer)

Permissions are the single biggest reason Chrome extensions get rejected or uninstalled. The good news: most extensions ask for far more than they actually need.

The permission types

• API permissions — `storage`, `alarms`, `tabs`, `scripting`. Required to call those Chrome APIs.
• Host permissions — `https://example.com/*` or `<all_urls>`. Required to read/modify a site's pages.
• Optional permissions — requested at runtime, not install time. Far less scary for users.

How to ask for less

1. Use `activeTab` instead of `<all_urls>` when you only need the current tab on user action.
2. Use `host_permissions` scoped to specific domains, not the universal wildcard.
3. Move non-essential permissions to `optional_permissions` and request them on demand.
4. Use the `scripting` API instead of declaring content scripts for every page.

ManifestGo defaults to the narrowest permissions that satisfy your prompt. If you describe a YouTube tweak, you get host access to youtube.com — not the entire web.