permission · activeTab · user_gesture

Active tab access: power that (usually) waits for your click

Risk: Low
Summarize with ChatGPT

The activeTab permission is a compromise: deep interaction with the page you are viewing, but typically tied to a user gesture such as clicking the toolbar icon.

It is not a blank check—compare it side by side with broad host permissions whenever an extension bundles both.

What this access enables

  • Temporarily gain host access to the active tab after an invoking gesture, enabling many “one-shot” tools (capture, translate selection, DOM helpers).
  • Often pairs with scripting APIs for that tab without declaring `<all_urls>` in the manifest.

If it is abused or compromised

  • Still dangerous if combined with exfiltration channels (downloads, native messaging, or broad network permissions).
  • Confusing UX: users may not realize a second permission quietly broadens scope beyond activeTab.

Evidence, documentation, and reporting

Official semantics

Chromium documents activeTab alongside the permissions list; read the precise grant conditions before trusting UI copy in the store.Sources: Chrome — Permissions list (activeTab entry) · Chrome — Declare permissions

MDN describes the Firefox-flavored behavior for comparison when you audit cross-browser add-ons.Sources: MDN — activeTab (Firefox)

Practical mitigations

  • Favor extensions that rely on activeTab alone when the feature is inherently “on-demand.”
  • Re-scan the permission diff after each update.
  • If an on-demand tool also requests “all sites,” ask why both are necessary.

Frequently asked questions

Concise answers for this permission class—use with the evidence and mitigations above for full context and citations.

What does activeTab mean in practice?

Typically the extension gets deeper access to the tab you are using when you invoke it—often after a click on the toolbar icon—rather than silently running on every page all day.

Is activeTab always low risk?

It is usually safer than permanent all-sites access, but it can still read or change the current page during the grant. Risk rises if the same extension bundles other powerful permissions.

Can activeTab access run without me clicking?

Exact grant rules depend on the browser and manifest; read vendor docs for your version. Treat any unexpected prompt or behavior as a reason to review the manifest and publisher.

When is activeTab a reasonable choice?

Screenshot tools, translators, and one-shot helpers that only need the page you are viewing when you deliberately use the extension.

Further reading (curated)

Mix of vendor documentation, standards-style guidance, independent research, and news investigations—each page below is a different angle on the same permission class.

Related extension guides

These topics often show up together in real extensions and abuse reporting—reading them as a set makes it easier to judge combined risk.

Browse all extension power guides

Audit what is installed

Pair least-privilege installs with a periodic review—especially after any extension update.

Add to Chrome