learn · extension_power · by_permission
Browser extension deep dives: permissions and topic guides
This hub lists every extension power article— permission-by-permission explainers aligned with Chrome-style install prompts, plus long reads on cookies, network rules, scripts/DOM, open tabs, and downloads. Use it to study host access, tracking risk, and real abuse reporting before you approve a new add-on.
Plain-language deep dive on host permissions that cover every website: capabilities, real abuse cases, Chrome/Mozilla documentation, and independent research citations.
Chrome extension scoped site access: host_permissions & match patterns vs all URLs—SSO, payroll & crypto hosts, optional grants & checklist | eSafe
What “act on the current tab when you click the extension” tends to mean in Chromium, how it differs from persistent host access, and where to read the official definition.
How extension tab permissions work (open tabs, URLs, navigation): capabilities, documented incidents with cited user counts, token-in-URL risks, and mitigations.
Chrome extension browsing history permission: chrome.history URLs & timestamps, profiling & spear-phishing—tabs, bookmarks & least-privilege checklist | eSafe
Chrome Extension Storage Permission: What chrome.storage Does (Local, Sync) & When It’s Risky
Risk: Very lowChrome extension storage permission: chrome.storage.local vs sync, MV3 workers, when risk spikes with host or network access. Practical checklist | eSafe
Chrome Extension Bookmarks Permission: What chrome.bookmarks Reads & When to Allow Read/Change
Risk: MediumChrome extension bookmarks permission: chrome.bookmarks reads folders & URLs, spear-phishing risk, when read/change is justified—install checklist | eSafe
What the downloads permission allows, silent droppers and metadata profiling, cited campaign scale, and mitigations.
Chrome extension clipboard read/write: wallet swaps, OTP & pastejacking—Async Clipboard model, MV3 install prompts & least-privilege checklist | eSafe
Chrome extension notifications: chrome.notifications OS toasts, fake security pop-ups, spam re-engagement—privacy, geolocation combos & checklist | eSafe
Chrome extension privacy settings: chrome.privacy can flip WebRTC, DNS & tracking toggles—silent rollback, hardening audits & combo with cookies/proxy | eSafe
Why proxying browser traffic is critical risk, how MV3 shifted APIs, and a broad citation list across Chromium docs, IETF, and consumer guidance.
Chrome extension declarativeNetRequest (DNR): block & redirect requests, MV3 rule caps, phishing via tampered lists—permission & update checklist | eSafe
Chrome extension screen capture: desktopCapture & tabCapture video streams, MFA & document leaks—network exfil & native messaging combos | eSafe
Chrome extension native messaging: connectNative & host apps bridge the sandbox—supply-chain risk, signed binaries & pairing with downloads | eSafe
Chrome extension management permission: chrome.management can install/remove add-ons—supply-chain risk, when IT is legit, consumer red flags | eSafe
Chrome extension geolocation: GPS-style fixes, maps vs stalking risk, OS/browser prompts—pairing with history, bookmarks & notifications | eSafe
Browser extensions & cookies (full guide)
Risk: CriticalCookie APIs, HttpOnly limits, session theft, MFA, cited figures from reporting and research, and practical mitigations.
Host permissions, fetch, declarativeNetRequest, redirects, documented abuse at reported scale, and mitigations.
Browser extensions & scripts / DOM (full guide)
Risk: CriticalContent scripts, scripting API, what “read and change all your data” means, cited incidents, and how to reduce scope.