Chrome Extension Permissions Cheatsheet: The Complete Manifest V3 Reference (2026)
Extensions that request fewer permissions get 30% higher install rates. Yet 86% of popular Chrome extensions still request high-risk permissions they don’t need.
This cheatsheet gives you the full Chrome extension permissions list for Manifest V3 — organized by risk level, with the exact warning text users see, and clear guidance on when to use each one.
Bookmark it. You’ll come back to it every time you touch manifest.json.
How Permissions Work in Manifest V3
Chrome extensions declare permissions across four keys in manifest.json:
| Key | When Granted | User Experience |
|---|---|---|
permissions | At install time | Warning dialog shown before install |
optional_permissions | At runtime | Prompt shown when feature is used |
host_permissions | At install time | Warning about site access |
optional_host_permissions | At runtime | Prompt for specific site access |
Rule of thumb: If a feature works without it on first launch, make it optional.
{
"permissions": ["storage", "alarms"],
"optional_permissions": ["bookmarks", "history"],
"host_permissions": ["https://api.yourservice.com/*"],
"optional_host_permissions": ["https://*/*"]
}Permissions That Trigger NO Warning
These are safe to include in permissions — users won’t see any install-time warning.
| Permission | What It Does |
|---|---|
activeTab | Temporary access to the current tab when user clicks your extension |
alarms | Schedule code to run at intervals or specific times |
storage | Store and retrieve extension data (synced or local) |
unlimitedStorage | Remove storage quota limits |
scripting | Inject content scripts programmatically |
offscreen | Create offscreen documents for DOM APIs |
sidePanel | Display content in Chrome’s side panel |
contextMenus | Add items to right-click menus |
idle | Detect when the machine is idle |
power | Override power management (prevent sleep) |
system.cpu | Query CPU metadata |
system.memory | Query memory info |
system.display | Query display info |
Pro tip: activeTab + scripting replaces broad host permissions for most use cases. Use this combo instead of <all_urls>.
Permissions That Trigger Warnings
These permissions show a warning dialog at install. Each additional warning reduces your install conversion rate.
Browser Data Access
| Permission | Warning Users See | Use Case |
|---|---|---|
bookmarks | ”Read and change your bookmarks” | Bookmark managers |
history | ”Read and change your browsing history” | History search tools |
tabs | ”Read your browsing history” | Tab managers needing URLs/titles |
topSites | ”Read frequently visited websites list” | New tab pages |
readingList | ”Read and change reading list entries” | Reading list tools |
downloads | ”Manage your downloads” | Download managers |
User Data Access
| Permission | Warning Users See | Use Case |
|---|---|---|
clipboardRead | ”Read data you copy and paste” | Clipboard managers |
clipboardWrite | ”Modify data you copy and paste” | Copy-to-clipboard features |
identity.email | ”Know your email address” | Account linking |
geolocation | ”Detect your physical location” | Location-based features |
System & Capture
| Permission | Warning Users See | Use Case |
|---|---|---|
desktopCapture | ”Capture screen content” | Screen recording |
tabCapture | ”Read and change all website data” | Tab video/audio capture |
pageCapture | ”Read and change all website data” | Save pages as MHTML |
nativeMessaging | ”Communicate with native applications” | Desktop app integration |
debugger | ”Access page debugger backend” + “Read and change all website data” | DevTools extensions |
Browser Settings
| Permission | Warning Users See | Use Case |
|---|---|---|
contentSettings | ”Change settings controlling website access” | Per-site cookie/JS settings |
privacy | ”Change privacy-related settings” | Privacy management tools |
proxy | ”Read and change all website data” | VPN/proxy extensions |
management | ”Manage apps, extensions, and themes” | Extension managers |
notifications | ”Display notifications” | Alert systems |
tabGroups | ”View and manage tab groups” | Tab organization tools |
Network Control
| Permission | Warning Users See | Use Case |
|---|---|---|
declarativeNetRequest | ”Block content on any page” | Ad blockers, privacy tools |
webNavigation | ”Read your browsing history” | Navigation tracking |
webAuthenticationProxy | ”Read and change all website data” | Enterprise auth proxies |
Accessibility
| Permission | Warning Users See | Use Case |
|---|---|---|
accessibilityFeatures.read | ”Read your accessibility settings” | Accessibility auditors |
accessibilityFeatures.modify | ”Change your accessibility settings” | Accessibility tools |
ttsEngine | ”Read all text spoken via synthesis” | Text-to-speech engines |
favicon | ”Read website icons you visit” | Bookmark/tab UI tools |
Host Permissions: Match Patterns
Host permissions control which websites your extension can interact with via fetch(), content scripts, and cookies.
| Pattern | Scope | Risk Level |
|---|---|---|
https://api.example.com/* | Single domain | ✅ Low |
https://*.example.com/* | Domain + subdomains | ⚠️ Medium |
https://*/* | All HTTPS sites | 🔴 High |
<all_urls> | All URLs | 🔴 Highest |
Warning text for broad patterns: “Read and change all your data on all websites”
// ❌ Don't do this unless absolutely necessary
"host_permissions": ["<all_urls>"]
// ✅ Scope to what you actually need
"host_permissions": ["https://api.yourapp.com/*"]
// ✅ Even better — request at runtime
"optional_host_permissions": ["https://*/*"]Decision Flowchart: Required vs Optional
Use this to decide where each permission belongs:
- Is it needed for the extension to function at all? →
permissions - Is it needed only for a secondary feature? →
optional_permissions - Do you need access to a specific API domain? →
host_permissions - Do you need access to user-visited sites, but only sometimes? →
optional_host_permissions - Do you just need the current tab when user clicks your icon? → Use
activeTabinstead
Requesting Permissions at Runtime
For optional permissions, use the chrome.permissions API:
// Request when the user activates a feature
document.getElementById('enable-bookmarks').addEventListener('click', async () => {
const granted = await chrome.permissions.request({
permissions: ['bookmarks']
});
if (granted) {
loadBookmarks();
} else {
showWhyPermissionHelps();
}
});
// Check current permissions
const current = await chrome.permissions.getAll();
console.log(current.permissions); // ["storage", "alarms"]
console.log(current.origins); // ["https://api.example.com/*"]
// Remove permissions you no longer need
await chrome.permissions.remove({
permissions: ['history']
});Privacy-First Permissions Checklist
Before publishing, audit your manifest.json:
- Remove unused permissions — audit your code for actual API usage
- Move non-essential permissions to
optional_permissions— reduce install friction - Replace
<all_urls>with specific domains — or useoptional_host_permissions - Use
activeTabinstead oftabs— unless you need background tab URLs - Explain each permission in your Chrome Web Store listing description
- Test with zero optional permissions — ensure core functionality works
Common Mistakes That Get Extensions Rejected
| Mistake | Fix |
|---|---|
Requesting tabs just to open a new tab | Use chrome.tabs.create() — it doesn’t require the tabs permission |
Requesting <all_urls> for a single-site tool | Scope to the specific domain |
Using permissions for features users may never use | Move to optional_permissions |
| Not justifying permissions in the store listing | Add a “Why we need these permissions” section |
Requesting history when you only need the current URL | Use activeTab instead |
Quick Reference: Permission → API Mapping
| You Want To… | Permission Needed | Warning? |
|---|---|---|
| Store user preferences | storage | No |
| Run code on a schedule | alarms | No |
| Inject scripts into pages | scripting + host permission | Depends on host scope |
| Read the current tab’s URL on click | activeTab | No |
| Read ALL open tab URLs | tabs | Yes |
| Block ads/trackers | declarativeNetRequest | Yes |
| Modify HTTP headers | declarativeNetRequest | Yes |
| Show notifications | notifications | Yes |
| Capture screenshots | desktopCapture or tabCapture | Yes |
| Save data beyond 10MB | unlimitedStorage | No |
| Add right-click menu items | contextMenus | No |
| Communicate with desktop apps | nativeMessaging | Yes |
Key Takeaways
- Fewer permissions = more installs. Every warning you trigger costs you users.
activeTabis your best friend. It covers most tab-access needs without a warning.- Make it optional when you can. Runtime permission requests convert 30% better than install-time warnings.
- Scope host permissions tightly.
<all_urls>is almost never necessary. - Audit regularly. Permissions creep happens — remove what you’re not using.
Use Ext Review to analyze any Chrome extension’s permissions and security posture before installing — or to benchmark your own extension against competitors.
Share this article
Build better extensions with free tools
Icon generator, MV3 converter, review exporter, and more — no signup needed.
Related Articles
Building Accessible Chrome Extensions: Keyboard, Screen Reader, and WCAG Compliance
26% of US adults have disabilities. Make your Chrome extension accessible with focus traps, ARIA, keyboard nav, and WCAG 2.1 AA compliance.
I Built the Same Chrome Extension With 5 Different Frameworks. Here's What Actually Happened.
WXT vs Plasmo vs CRXJS vs Extension.js vs Bedframe. Real benchmarks, honest opinions, and the framework with 12K stars that's quietly dying.
5 Best Email Marketing Services to Grow Your Chrome Extension (2026)
Compare the top email marketing platforms for SaaS and Chrome extension developers. MailerLite, Mailchimp, Brevo, ActiveCampaign, and Drip reviewed.