To use mostextension APIs and features, you must declare your extension's intent in themanifest's permissions fields. Extensions can request the following categories of permissions, specified using the respective manifest keys:

"permissions"

Contains items from a list ofknown strings. Changes may trigger awarning.

"optional_permissions"

Granted by the user at runtime, instead of at install time.

"content_scripts.matches"

Contains one or morematch patterns that allows content scripts to inject into one or more hosts. Changes may trigger awarning.

"host_permissions"

Contains one or morematch patterns that give access to one or more hosts. Changes may trigger awarning.

"optional_host_permissions"

Granted by the user at runtime, instead of at install time.

Permissions help to limit damage if your extension is compromised by malware. Some permission warning are displayed to users for their consent beforeinstallation or at runtime, as detailed inPermission with warnings.

Consider usingoptional permissions wherever the functionality of your extensionpermits, to provide users with informed control over access to resources and data.

If an API requires a permission, its documentation explains how to declare it. For anexample, seeStorage API.

Manifest

The following is an example of the permissions section of amanifest file:

manifest.json:

{"name":"Permissions Extension",..."permissions":["activeTab","contextMenus","storage"],"optional_permissions":["topSites",],"host_permissions":["https://www.developer.chrome.com/*"],"optional_host_permissions":["https://*/*","http://*/*"],..."manifest_version":3}

Host permissions

Host permissions allow extensions to interact with the URL'smatching patterns. SomeChrome APIs require host permissions in addition to their own API permissions, which are documented on each reference page. Here are some examples:

• Makefetch() requests from the extension service worker and extension pages.
• Read and query the sensitivetab properties (url, title, and favIconUrl) using thechrome.tabs API.
• Inject acontent script programmatically.
• Monitor and control the network requests with thechrome.webRequest API.
• Access cookies with thechrome.cookies API.
• Redirect and modify requests and response headers usingchrome.declarativeNetRequest API.

Permissions with warnings

When an extension requests multiple permissions, and many of them displaywarnings on installation, the user will see a list of warnings, like in the following example:

Users are more likely to trust an extension with limited warnings or when permissions are explainedto them. Consider implementingoptional permissions or a less powerful API to avoid alarmingwarnings. For best practices for warnings, seePermission warnings guidelines. Specificwarnings are listed with the permissions to which they apply in thePermissions reference list.

Adding or changing match patterns in the"host_permissions" and"content_scripts.matches"fields of the manifest filewill also trigger awarning. To learn more, seeUpdating permissions.

Allow access

If your extension needs to run onfile:// URLs or operate in incognito mode, users must give the extension access on its details page. You can find instructions for opening the details page underManage your extensions.

Allow access to file URLs and incognito pages

1. Right-click the extension icon in Chrome.

2. ChooseManage Extension.

   

3. Scroll down to enable access to file URLs or incognito mode.

   

To detect whether the user has allowed access, you can callextension.isAllowedIncognitoAccess() orextension.isAllowedFileSchemeAccess().