You may have seen the frightening warnings that Google Chrome will pop when installing a theme. “WARNING! This extension will follow you home from work!” Eek!
OK, it’s not that bad, but it can feel like it. To be fair, Google is just trying to warn you of what could happen, not what will happen. It’s kind of like your mom following you around and telling you not to get run over every time you cross the street. I appreciate the consideration, but…
Depending on the extension you install, it might need legitimate access to various things to do its job. For example, if you see the message that the extension can have access to “your private data on all websites,” this usually means that the extension is inserting content scripts into a page. (What the what!?!)
Warning message | Manifest entry that causes it (What it’s accessing) | Translation |
---|---|---|
All data on your computer and the websites you visit | “plugins” | Understand this one. The developer is using NPAPI plugins, which means they have some old software they’ve already written and are using it so they don’t have to write new code. This could create a serious security risk if you’re getting the extension from an untrusted source. Google manually review these because of that risk. |
Your bookmarks | “bookmarks” permission | Can you guess? This extension can either manipulate or provide a new organization interface to your bookmarks. |
Your browsing history | “history” permission | This extension could add, remove or look at URLs you’ve previously visited. |
Your tabs and browsing activity | Any of the following:
|
This means the extension could be used to create, modify, and rearrange tabs in the browser or its browser windows. It also means communication can be collected by the extension about navigation which can be related to the window, tab or site you’re interacting with – like if a page doesn’t load that can be reported back. |
Settings that specify whether websites can use features such as cookies, JavaScript, and plug-ins | “contentSettings” permission | Content settings allows extensions to change whether websites can use features such as cookies, JavaScript, and plug-ins. It allows customization of Chrome’s behavior on a per-site basis instead of globally. |
Your data on all websites | Any of the following:
|
Too overreaching to be helpful. Pretty scary warning with no real commitment to what’s happing. Using a “debugger” command will trigger the warning, but the extension is just looking for help understanding why things went wrong. Since it bundles up information about the current state of a crash – it can technically send all the info back to the developer. If you’re embarrassed about the sites you visit and your browser crashes a lot – maybe reconsider this. |
Your data on {list of websites} | A match pattern in the “permissions” field that specifies one or more hosts, but not all hosts | Kind of like the warning above, but information sharing is limited to 3 specific sites or subdomains of the same site. |
Your list of apps, extensions, and themes or Manage themes, extensions, and apps |
“management” permission | Extensions that cause this warning have the ability to manage your extensions or apps. They may change the new tab experience as well. |
Your physical location | “geolocation” permission | Extensions using this feature can determine your location and do not have to ask permission. |
Data you copy and paste | “clipboardRead” permission | Allows the extension to use “copy,” “cut,” and “paste.” Though you probably figured this one out. I’m assuming this is how some tools take a word you’ve highlighted and put it in the search field. |
Privacy-related settings | “privacy” permission | Any time you see privacy, you should pay attention – but it doesn’t mean panic. The way Google Chrome uses autofill on web forms, or Google Instant in their search are types of functionality that are helpful but would trigger this warning. |