permissions, host_permissions, and optional_* fields from manifest.json. Good permission design improves trust and reduces issues during store review.
Permission strategy
Common patterns
Background-driven feature
Usepermissions for the browser APIs you need and add only the host patterns required by the feature:
Optional capability
If the first-run experience does not require a feature, keep it optional:Practical rules
- Ask for API permissions only when the feature truly needs them.
- Keep
host_permissionsscoped to the smallest working set of origins. - Prefer optional permissions for secondary or premium features.
- Re-audit permissions whenever you add background actions, content-script injection, or remote API calls.
Permission design by feature type
Common mistakes
- Using broad wildcards like
<all_urls>when you only need one or two origins. - Mixing
host_permissionsinto a feature that could instead use a narrower user-triggered workflow. - Forgetting that content scripts, web-accessible resources, and script injection via
chrome.scriptingall have different security implications. - Documenting permissions in feature docs without explaining why each permission exists.
Review checklist
- List every user-facing feature.
- Map each feature to the exact API and host permissions it needs.
- Move non-core permissions to optional permissions where possible.
- Remove stale permissions left over from old experiments.
- Re-test install prompts and browser-store expectations after changes.
Next steps
- Keep one manifest accurate in manifest.json.
- Review page access in Web-accessible resources.
- Validate boundary handling in Messaging.
- Do a release pass with Security checklist.
- Compare
permissionsvshost_permissionsbehavior in Manifest V3 troubleshooting.

