How to control a chrome extension’s permissions
By Rachel Davis
Google promised control of each Chrome extension’s permissions back in October, and that long-promised feature finally arrived near the end of December. Extensions no longer require “all your data on the websites you visit.”
You won’t see any sort of prompt when installing an extension. If that extension asks to “Read and change all your data on the websites you visit,” all you can do is agree and click “Add Extension.” But, after the extension is installed, you can now revoke that permission.
How to Change an Chrome Extension’s Permissions
To control an extension’s access to your data, right-click the extension’s icon on your toolbar and point to “This can read and change site data.” Choose your preferred option:
- When you click the extension: The extension can’t see any of your data until you click it. When you do, it can access data from the current tab. If an extension does something automatically whenever you visit a website, it won’t work until you click it.
- On [current website]: The extension can only run and see data from the current website. It can’t see data from all websites.
- On all sites: This is the default. The extension can see and change data on all websites. It can automatically run and do things whenever you load any website.
Which option you choose depends on what you use the extension for and how much you trust it. But you now have a choice. You can now install an extension but only give it access to your data on a handful of websites, or just when you click it.
The “Learn more about site access” button takes you to a Google support page that explains how this works.
How to Customize the Websites an Extension Can Access
You can also manage the list of specific sites an extension can run on from the Extensions page. To access it, click menu > More Tools > Extensions.
Click the “Details” button for the extension you want to control.
To the right of “Allow this extension to read and change all data on the websites you visit,” choose “On specific sites.”
You can now control the specific list of sites the extension can access from the “Allowed sites” list. Click the “Add” button and type an address to add a website, or click the menu button and click “Remove” to remove an allowed website from the list.
This is the same as choosing the “On [current website]” option from the extension’s context menu, but you can see all websites the extension has access to and easily manage them.
Published on Monday, October 8, 2012 • Updated on Wednesday, May 21, 2014
Manifest V3 is launching soon! See the MV3 documentation for more information, and consider developing your extension in MV3.
To use most chrome.* APIs, your extension or app must declare its intent in the “permissions” field of the manifest. Each permission can be either one of a list of known strings (such as “geolocation”) or a match pattern that gives access to one or more hosts. Permissions help to limit damage if your extension or app is compromised by malware. Some permissions are also displayed to users before installation, as detailed in Permission Warnings.
If an API requires you to declare a permission in the manifest, then its documentation tells you how to do so. For example, the Storage page shows you how to declare the “storage” permission.
Here’s an example of the permissions part of a manifest file:
The following table lists the currently available permissions:
Makes Chrome start up early and shut down late, so that apps and extensions can have a longer life.
When any installed hosted app, packaged app, or extension has “background” permission, Chrome runs (invisibly) as soon as the user logs into their computer—before the user launches Chrome. The “background” permission also makes Chrome continue running (even after its last window is closed) until the user explicitly quits Chrome.
You typically use the “background” permission with a background page, event page or (for hosted apps) a background window.
Last updated: Wednesday, May 21, 2014 Improve article
Change how much of your data your extensions need
- Tweet
- Share
Just as mobile operating systems have ways to limit the access each app enjoys, Google Chrome has a straightforward permission control menu to restrict extension access. Here’s what you need to know about how permissions work, and how to use Chrome to control them.
How Do Chrome Extension Permissions Work?
Each “permission” is an atomic component in the Chrome API. Each permission only handles one aspect of how Chrome taps into your OS, and the data on it. To gain access to all the API elements it needs to function, an extension must ask and receive approval for each permission individually.
Extensions are also required to list all the permissions they need in the “manifest” file, which tells Chrome what to download and set up on installation, and provide a legitimate justification for each one. This lets Chrome easily keep track of all the points of access the extension uses.
Not all of these permissions are visible to the user, since tweaking certain low-level permissions would break the extension completely. However, Chrome exposes many of the ones most pertinent to privacy considerations for users to review.
How to Review and Restrict Chrome Extension Permissions
Chrome features a menu for viewing these exposed permissions for all your installed extensions in one place.
Select the three vertical dots in the upper-right of the browser.
Hover the mouse over More tools.
Select Extensions.
Select Details for the extension whose permissions you want to modify, and Chrome will pull up a page with all the settings options for the extension.
Scroll down to the Permissions section and you’ll see a bullet point list of the permissions the extension requires, as well as an extension-specific configuration interface below it. Select the dropdown menu to limit which websites the extension may be active on, then select On click, On specific sites, or On all sites.
Not all extensions have a bulleted list of their permissions.
Scroll down a little further and select Extension options. Either a pop-up menu will surface, or a new tab will open with the extension’s full settings panel. Regardless, the presented menu will provide options for managing any functionality, UI, and permissions Chrome didn’t present on the extension’s Details page.
Once the extensions settings are to your liking, that’s it. You’re all done, and you can close both tabs.
Tame those wily apps instead of deleting
When Chrome first released all the way back in September of 2008, the one thing that kept many Firefox loyalists from switching over was the robust amount of add-ons that Firefox offered.
By 2010, the Chrome Web Store had already surpassed 10,000 extensions. The total number of extensions available today isn’t shown publicly anymore, but it’s assumed to be well into the hundreds of thousands.
As Chrome’s library of extensions grows, so does the risk of installing and enabling extensions that may cause problems. Although the Chrome Web Store has policies that help keep malicious extensions out, some do pass through.
Similarly, there are some extensions that just encroach on users’ privacy far more than necessary. Often times, we bite the bullet and take the good with the bad—some extensions are hard to live without. However, did you know that you can do some management of your Chrome extensions’ permissions?
Instead of getting into how to uninstall Chrome extensions, let’s talk about how you can tame them!
How to Change the Permissions of Chrome Extensions
There are two different ways that you can change the permissions of your Chrome extensions, and both deal with modifying extensions’ site access.
The first way is by interacting with the extension’s icon in the extensions bar, and the second is by directly changing the list of site domains in the extension’s settings. Let’s go over each.
Change the Permissions of Chrome Extensions by Extension Icons
Your Chrome extensions bar is the area of the browser to the right of the address bar, where you see several icons for the extensions that you’ve installed.
If you right-click on one of your extensions’ icons and hover “This can read and change site data”, you’ll see three options that will allow you to quickly change the extension’s permissions:
- When you click the extension
- On the site you’re currently on
- On all sites
The first option effectively defaults the extension to not having read and change access until you click the icon. The other two are self-explanatory.
This is useful when you have one extension that’s particularly “loud.” If one of your extensions is constantly using network data or sending you notifications, limiting it through one of these options is a great way to get it under control without having to remove it completely.
Change the Permissions of Chrome Extensions by Extension Settings
If you like the functionality of limiting the sites at which an extension can read and change data but don’t want to individually visit every single site, you can input them manually through the extension’s settings.
To do so, click on the hamburger menu icon to the right of your extensions bar, then go to “More tools” and Extensions.
This will bring up a full page of all of the extensions you’ve installed. For the extension which you want to change the permissions of, click on the Details button beneath it.
On the page that follows, you’ll see the same three options as you would through the extensions bar icons. However, if you select “On specific sites” here, assuming it wasn’t the originally selected option, you’ll be able to add websites by individual URLs.
If the extension you’re modifying already had this as the selected option, or after you’ve added at least one site, you’ll see a full list of the permitted sites. From there, you can add or remove more of them.
You don’t have to let your Chrome extensions take over your browser. While it’s unfortunate that Chrome extensions demand so much control over reading and changing site data by default, you can at least change the permissions for ones that are noticeably problematic in these two ways.
Craig is a long-time writer, coder, and marketer with years of experience in the technology and gaming spaces. Since 2008, he’s worked remotely with some of the most notable publications in these industries, specializing in Windows, PC hardware and software, automation, and the like. Read Craig’s Full Bio
Earlier, you were only able to enable or disable Chrome extensions but now Google allows you to control permission settings for each Chrome extension or Chrome app. By customizing policies and permissions, you may override your defaults for specific apps or extensions. You may also control which apps or extensions users can install. You may control permissions related to 2-factor devices, Alarms, Audio capture, Certificate provider, CPU metadata, Geo location, Notifications, Network metadata, Set proxy, Video capture and more. If you are wondering how to control chrome extension’s permissions, let’s learn how to do that.
How to change Chrome extension’s permissions on your computer?
By following the below given steps, you may change Chrome extension’s permissions on your computer.
- Open Chrome on your computer.
- In the toolbar, right click the extension’s icon and point to “This can read and change site data and then select any of the following option according to your preference:
- When you click the extension: Enables the extension only when you click it. This only allows the extension to access the current site in the current tab or window. If your tab or window gets closed, extension will get automatically disabled.
- On [current website]: Permits the extension to automatically read and change data on the current site.
- On all sites: Permits the extension to automatically read and modify data on all sites.
- All these above mentioned settings depend on the reason why you want to use or trust the extension. But you now have a choice. You may now install an extension but only give it access to your data on selected websites, or just when you click it.
How to add or remove access to a specific website?
If you want to add or remove access to a specific website, you may do it by following the below given steps:
- Open Chrome on your computer.
- At the top right corner of the screen, click “More” button and then select More tools>Extensions.
- Click “Details” of the extension you want to control.
- Under “Permissions” add or remove a site by following the below given steps:
- To the right of “Allowed sites,” click “Add.” If you don’t see this option, change “Allow this extension to read and change all your data on websites you visit” to on specific sites.
- To remove, click More>Remove on the top right of the website screen.
Best Anti-malware
- Removes Malware which Antivirus cannot
- Protects from Ransomware Attacks
- Lightweight and Fast Detection
Now you don’t need to worry about adding a few more extensions in Chrome. You can now control the permissions after installing an extension. Earlier, extensions require to access all data on the websites you visit. Meaning they were able to change or read the data on every site that you visit. Now Google has given this feature that will help you to customize this option according to your need. In this article, you will know how to control the permission of a Chrome extension.
Though, at the time of installation, you have to agree on the “Read and change all your data on the websites you visit” permission. But later on, after the installation, you can change it.
How to Alter a Chrome Extension’s Permissions?
The quick way to alter the permission of a Chrome Extension is to right click on it and hover your mouse on “This can read and change site data” option then select the options according to your need. These options are explained below.
When you click the extension
If you choose this option, the extension will not be able to see any data on any website. To allow it to access the information on a site you have to click on the extension. Then it will be able to access the data on the current tab website. This option is helpful in reducing the system resource usage as well as protecting your confidential information.
If you want the extension to work only on a particular website, then choose this option. The extension will be able to read and change data on the website that you opened in the current tab. It will not work on other websites.
On all sites
This is the default option. If you choose this option, the extension can read and change the data on every website that you open. Meaning, it will do the desired job on all sites in every tab.
Besides these options, you can furthermore customize the permissions on the Extension page. Follow below guidelines to do that.
How to Customize the Extension Permissions on Chrome?
If you want an extension to run on particular websites, then you can add the list on the extension page. Click on the Menu button, hover your mouse on More tools, then click on Extensions.
Now locate the extension which settings you want to customize and click on Details button.
In the Permissions section, locate “Allow this extension to read and change all your data on websites you visit” click on the drop-down option besides this setting and choose On specific sites.
Now enter the URL of the website and click on Add button.
To add another website in the allowed list, click on Add option. To Edit or Remove a site from the list, click on the three vertical dots beside the URL.
To know more about the Site Access go to Google Answer Page.
How will this Feature help you?
Well, if you are like me who has almost half a dozen of extensions in the Chrome, then it is going to help you a lot. When you open a new website, all these extensions starts working on that websites; they consume RAM and Processor to do the desired job. When you open a few more tabs, you will feel it. Your PC becomes sluggish and unresponsive.
Now you can enable a particular extension when you want it to do the job. It will not consume the resources on the websites that you don’t want the extension to run.
If you are experiencing an adware problem then check – How to remove Adware from Google Chrome.
Published on Monday, October 8, 2012 • Updated on Wednesday, May 21, 2014
To use most chrome.* APIs, your extension or app must declare its intent in the permissions fields of the manifest. Extensions can request three categories of permissions, specified using the respective keys in the manifest:
- permissions contain items from a list of known strings (such as “geolocation”)
- optional_permissions are like regular permissions , but are granted by the extension’s user at runtime, rather than in advance
- host_permissions contain one or more match patterns that give access to one or more hosts
Permissions help to limit damage if your extension or app is compromised by malware. Some permissions are displayed to users for their consent before installation or at runtime as needed, as detailed in Permission Warnings.
You should use optional permissions wherever the functionality of your extension permits, to provide users with informed control over access to resources and data. See the platform vision to better understand this recommendation.
If an API requires you to declare a permission in the manifest, then its documentation tells you how to do so. For example, the Storage page shows you how to declare the “storage” permission.
Here’s an example of the permissions part of a manifest file:
The following table lists the currently available permissions:
Makes Chrome start up early and and shut down late, so that apps and extensions can have a longer life.
When any installed hosted app, packaged app, or extension has “background” permission, Chrome runs (invisibly) as soon as the user logs into their computer—before the user launches Chrome. The “background” permission also makes Chrome continue running (even after its last window is closed) until the user explicitly quits Chrome.
You typically use the “background” permission with a background page, event page or (for hosted apps) a background window.
Last updated: Wednesday, May 21, 2014 Improve article
Change how much of your data your extensions need
- Tweet
- Share
Just as mobile operating systems have ways to limit the access each app enjoys, Google Chrome has a straightforward permission control menu to restrict extension access. Here’s what you need to know about how permissions work, and how to use Chrome to control them.
How Do Chrome Extension Permissions Work?
Each “permission” is an atomic component in the Chrome API. Each permission only handles one aspect of how Chrome taps into your OS, and the data on it. To gain access to all the API elements it needs to function, an extension must ask and receive approval for each permission individually.
Extensions are also required to list all the permissions they need in the “manifest” file, which tells Chrome what to download and set up on installation, and provide a legitimate justification for each one. This lets Chrome easily keep track of all the points of access the extension uses.
Not all of these permissions are visible to the user, since tweaking certain low-level permissions would break the extension completely. However, Chrome exposes many of the ones most pertinent to privacy considerations for users to review.
How to Review and Restrict Chrome Extension Permissions
Chrome features a menu for viewing these exposed permissions for all your installed extensions in one place.
Select the three vertical dots in the upper-right of the browser.
Hover the mouse over More tools.
Select Extensions.
Select Details for the extension whose permissions you want to modify, and Chrome will pull up a page with all the settings options for the extension.
Scroll down to the Permissions section and you’ll see a bullet point list of the permissions the extension requires, as well as an extension-specific configuration interface below it. Select the dropdown menu to limit which websites the extension may be active on, then select On click, On specific sites, or On all sites.
Not all extensions have a bulleted list of their permissions.
Scroll down a little further and select Extension options. Either a pop-up menu will surface, or a new tab will open with the extension’s full settings panel. Regardless, the presented menu will provide options for managing any functionality, UI, and permissions Chrome didn’t present on the extension’s Details page.
Once the extensions settings are to your liking, that’s it. You’re all done, and you can close both tabs.
Published on Monday, October 1, 2018 • Updated on Monday, April 27, 2020
- Summary
- What’s changing?
- Which APIs are affected?
- Restricting access
- How can the user restrict access?
- What happens if a user chooses to run my extension “on click”?
- What happens if a user chooses to run my extension on specific sites?
- What happens if a user chooses to run my extension on all sites?
- API behaviors
- Web request API
- Content scripts, tabs.executeScript(), tabs.insertCSS()
- Cookies and background page XHR
- Migration
- What are best practices to avoid being negatively impacted?
- What happens to my current users’ settings?
- How can I check if my extension has permission to run on a site?
Manifest V3 is launching soon! See the MV3 documentation for more information, and consider developing your extension in MV3.
Summary #
What’s changing? #
Beginning in Chrome 70, users have the ability to restrict extension host access to a custom list of sites, or to configure extensions to require a click to gain access to the current page.
Which APIs are affected? #
This change affects any APIs that are affected by the host permissions specified in your extension’s manifest, as well as content scripts. APIs that require host permissions include webRequest, cookies, tabs.executeScript() and tabs.insertCSS(), and performing cross-origin requests, such as through an XMLHTTPRequest or the fetch() API.
Restricting access #
How can the user restrict access? #
Users can choose to allow your extension to run on click, on a specific set of sites, or on all requested sites. These options are presented to users on the chrome://extensions page as well as in the extension context menu.
What happens if a user chooses to run my extension “on click”? #
The extension essentially behaves as though it used the activeTab permission. The extension is granted temporary access to any host the user clicks the extension on, if that host was requested by the extension (and isn’t a restricted site, like chrome://settings). When set to run on click, Chrome badges your extension with a circle and drop shadow (see below) to indicate that is requesting access on a particular site.
What happens if a user chooses to run my extension on specific sites? #
Your extension is allowed to run automatically on any sites the user has chosen, and can access the site without further user action. On other sites that your extension requested, but the user did not grant permission to, the behavior is the same as if the user had set the extension to run on click.
What happens if a user chooses to run my extension on all sites? #
The extension can automatically access any sites requested in the manifest.
API behaviors #
Web request API #
The extension can still intercept, modify, and block any requests from sites it has access to. For sites the extension does not have access to, Chrome badges the extension to indicate that the extension requests access to the page. The user can then grant access to the extension; Chrome then prompts the user to refresh the page to allow your extension to intercept the network requests.
Content scripts, tabs.executeScript(), tabs.insertCSS() #
The extension can still inject scripts and style sheets automatically for any sites it has access to. For sites the extension does not have access to, Chrome badges the extension to indicate that the extension requests access to the page. The user can then grant access to the extension. If the content script was set to inject at document_idle, the script will inject immediately. Otherwise, Chrome prompts the user to refresh the page to allow your extension to inject scripts earlier in page load (at document_start or document_end). The callbacks for the tabs.executeScript() and tabs.insertCSS() methods are only invoked if the user grants access to the site.
Cookies and background page XHR #
The extension can still read and modify any cookies from and perform a cross-origin XHR to sites it has access to. Because there is no tab associated with an extension page accessing another origin’s cookies or XHRing to another host, Chrome does not badge the extension to indicate to the user that the extension is requesting to access a site. Trying to access a cookie for another site or make a cross-origin XHR will fail with an error as if the extension’s manifest did not include the host permission. For these cases, we encourage you to use optional permissions in order to allow the user to grant runtime access to different sites.
The example below illustrates how this may work for the cookies API.
Migration #
What are best practices to avoid being negatively impacted? #
Extensions can use the optional permissions, activeTab, and declarativeContent APIs to follow best practices. Optional permissions are granted at runtime, and allow the extension to request specific access to a site. The activeTab permission is not affected, and extensions using it continue to work normally. The declarativeContent API is a substitute for many needs to inject scripts into every page.
What happens to my current users’ settings? #
This change will not immediately affect any current permissions granted to your extension. That is, it will continue to operate as before unless the user takes action to restrict the sites it is allowed to access. In future releases, Chrome will provide more controls to users to adjust settings.
How can I check if my extension has permission to run on a site? #
You can use the permissions.contains() API in order to check whether your extension has been granted access to a given origin.
Last updated: Monday, April 27, 2020 Improve article
Windows users can be restricted from installing apps by an administrator. It’s a fairly simple process that involves limiting permissions for a particular Windows account. For apps that a user does have access to, they normally have free rein to customize it. Chrome, for example, allows users to install extensions. If you want to stop a particular user from installing an extension or running any of the ones already installed, there’s nothing in Chrome that lets you do so. A simple work around to the problem exists in the form of Windows folder permissions. Here’s what you need to do.
You need administrative rights to restrict a user’s ability to install or run extensions in Chrome. Open the following location for the user you want to apply the restrictions to. You must know which profile folder belongs to the user in question. You can check this from the Chrome://version page.
In the address below, ‘User Name’ refers to the Windows account you want to apply the restriction to and ‘Profile Name’ refers to the Chrome user profile you want to apply the restriction to.
C:\Users\User Name\AppData\Local\Google\Chrome\User Data\Profile Name
Once you’ve navigated to the location above, right-click the Extensions folder and select ‘Properties’ from the context menu. Go to the Security tab and select the Windows user account you want to add the restriction for. Click Edit to change permissions for the folder.
If you want to prevent a user from installing extensions but allow them to use the ones that are already installed in Chrome, remove ‘Write’ permissions for the folder.
If you want to prevent a user from using any and all extensions, remove all permissions. All extensions in Chrome will be disabled and the user will not be able to enable them or install any new ones.
We should point out that a user can still create a new Chrome profile and install extensions to that particular profile. There isn’t a work around that prevents a user from adding new users at present unless the user is a managed Chrome account.
