Security checklist

    Reduce extension attack surface before release with a repeatable review pass. Focus on least privilege, constrained runtime access, and strict input handling.

    Security review capabilities

    AreaWhat this helps you verify
    Permissions scopeRequested capabilities are minimal and intentional
    Content-script safetyPage-context behavior avoids unsafe injection patterns
    WAR exposureOnly required assets are externally readable
    Message boundariesPrivileged actions are validated and sender-aware
    Release hygieneCI and dependency checks catch regressions early

    Manifest and permissions

    • Request only permissions you need.
    • Avoid broad host permissions unless required.
    • Prefer optional permissions for non-core capabilities.
    • Re-check web_accessible_resources scope after feature changes.

    Content scripts

    • Default to isolated world unless MAIN world is strictly required.
    • Keep selectors and DOM mutations scoped to known targets.
    • Sanitize untrusted page data before rendering or storing.
    • Avoid injecting executable strings into page contexts.

    Web-accessible resources

    • Keep WAR entries explicit and minimal.
    • Avoid wildcard resources: ["*"] patterns.
    • Restrict matches to required domains.
    • Use runtime URL helpers (runtime.getURL) for asset access.

    Messaging and data flow

    • Validate message payload shape before processing.
    • Verify sender context for privileged operations.
    • Avoid exposing privileged operations directly to page scripts.
    • Keep boundary modules for content/background communication.

    Build and release hygiene

    • Run lint, type checks, and tests in CI.
    • Review production bundle output for unexpected artifacts.
    • Keep dependencies updated and remove unused packages.
    • Rotate secrets and keep sensitive values out of client-exposed env vars.

    Common high-risk anti-patterns

    • host_permissions with broad wildcards that are not feature-critical
    • web_accessible_resources exposing broad globs to <all_urls>
    • message handlers that trust payloads without sender or schema checks
    • MAIN-world script usage when isolated world would be sufficient

    Quick pre-release pass

    1. permission review
    2. WAR review
    3. content script world review
    4. messaging validation review
    5. CI green on target browser matrix

    Next steps