Chrome extension permission · scoped hosts · match patterns

Chrome Extension Scoped Sites: host_permissions, Match Patterns & Risk

Risk: High
Summarize with ChatGPT

Chrome extension scoped site access is declared through host_permissions, optional_host_permissions, and content_scripts.matches using URL match patterns. Instead of every origin, the publisher names explicit hosts—often a single SaaS app or internal tool.

That usually beats full <all_urls> exposure for everyday browsing, but it is not automatically “safe.” If those hosts are your payroll portal, email, or exchange, the extension can still read and alter pages, harvest tokens from the DOM, and pair with scripting or network APIs in the same manifest.

Quick summary: scoped site permissions in 30 seconds

  • Scoped site permissions mean the extension lists explicit match patterns—such as https://app.example.com/*—instead of “read and change all your data on all websites.” That shrinks accidental blast radius on random blogs and news sites.
  • Concentrated risk remains: if the allowlist is exactly where you bank, file expenses, or trade crypto, the add-on still runs with DOM and API access on those high-value sessions.
  • Developers can request optional host permissions at runtime; each new prompt widens scope, so treat incremental grants like fresh installs.
  • Fake “narrow” manifests exist: long lists of unrelated finance or wallet hosts should trigger an immediate deny.

Real-world lens: one SaaS helper vs fake “narrow” lists

A well-documented Salesforce or Jira companion that lists only those domains matches user expectations. A PDF tool that also declares twenty exchange sites does not.

Compare scoped access with read-all-sites (max blast radius), active tab (often tighter interaction models), and how content scripts execute on the hosts you granted.

What scoped host access enables (patterns & optional grants)

  • Inject content scripts, call host-restricted extension APIs, and hold long-lived access to declared origins whenever you navigate there—subject to manifest and runtime rules.
  • Target high-sensitivity workflows: CRM fields, ITSM tickets, medical portals, or trading UIs—whatever domains appear in the allowlist.
  • Request additional hosts later via optional permissions or updated manifests—useful UX for vendors, expanded surface for users who click through prompts without diffing the list.

Abuse scenarios: concentrated theft, pattern theater & mistakes

  • Targeted fraud: a compromised update on an extension scoped only to your SSO or ERP still captures credentials and session context on those pages.
  • “Scoped” theater: dozens of unrelated banking, wallet, or government domains listed together without a coherent product story.
  • Pattern mistakes: typos or overly broad *.example.com rules can silently include more origins than reviewers expect.

Official docs: match patterns, content scripts & supply chain

Declaring scoped hosts, content scripts, and optional permissions

Chrome groups host_permissions, optional_host_permissions, and content script matches under shared match-pattern syntax—study subdomains, paths, and schemes before trusting a listing.Sources: Chrome — Declare permissions · Chrome — Content scripts

The permissions API documents runtime requests for additional hosts; permission warnings explain user-facing text—diff every update.Sources: Chrome — permissions API · Chrome — Permission warnings

Cross-browser patterns & third-party software risk

MDN’s match pattern reference aligns with Firefox WebExtensions expectations—useful when comparing multi-browser rollouts.Sources: MDN — Match patterns

National guidance treats third-party components with access to business apps as supply-chain risk—extensions scoped to ERP or SSO hosts belong in the same inventory.Sources: CISA — Software supply chain security · OWASP — Supply chain security · Google — Chrome Enterprise extension management

Practical tips: allowlist review, profiles & narrower models

  • Read the full allowlist in the Chrome Web Store Permissions tab or unpacked manifest before install; screenshot it for comparison after updates.
  • Challenge extensions that need payroll, wallet, or identity hosts when the marketing copy mentions unrelated features.
  • Use enterprise policy or dedicated work profiles to block consumer extensions on machines that touch regulated apps.
  • When a vendor offers active-tab-only or lighter models, compare trade-offs against scoped lists—read the all-sites, active-tab, and scripts deep dives before choosing.

Last reviewed: March 2026. Educational overview only—not legal advice; verify match-pattern behavior against current Chrome documentation.

FAQ: scoped host permissions & match patterns

Short answers for common searches—use with the risk and mitigation sections above for full context.

What is the difference between scoped sites and “read all sites”?

Scoped permissions use explicit match patterns so the extension is limited to listed origins (plus paths/schemes rules), whereas broad host access can cover every website. Scoped is narrower globally but can still be full power on the hosts you care about most.

Can a scoped extension still steal credentials?

Yes—if the allowlist includes your login or payment pages and the code is malicious or compromised. Scope limits collateral damage on unrelated sites, not trustworthiness.

Why would a legitimate extension use specific sites only?

Single-app companions—CRM helpers, LMS tweaks, or internal dashboards—often declare just those hosts to avoid touching the rest of the web.

What are optional host permissions?

Chrome lets extensions request additional hosts at runtime after install. Each grant expands scope; review new prompts the same way you reviewed the original manifest.

What should I verify before approving scoped host access?

Match the patterns to the product narrative, check subdomains and paths, confirm the publisher identity, and re-audit after updates—especially if new financial or identity hosts appear.

Further reading: Chrome match patterns & related eSafe guides

Start from every Chrome extension permission, then contrast all sites, active tab, and scripts.

Related extension guides

These topics often show up together in real extensions and abuse reporting—reading them as a set makes it easier to judge combined risk.

Browse all extension power guides

Audit what is installed

Pair least-privilege installs with a periodic review—especially after any extension update.

Add to Chrome