Why Do Chrome Plugins Need Access To ‘All My Data’ and ‘Browsing Activity’?

chrome new logo   Why Do Chrome Plugins Need Access To All My Data and Browsing Activity?If you’ve installed Chrome plugins, you’ve probably seen a warning that they can access your data on all websites, your tabs and browsing activity, or even all the data on your computer. This warning can be scary, especially if you’re installing a simple browser extension that looks harmless.

Chrome has a permissions system, just like Android does. Unfortunately, the way web browsers and web pages work means that extensions must ask for quite a few permissions to do simple things. Chrome’s permissions system is not particularly fine-grained.

Plugin Permissions

Unlike Mozilla Firefox and Internet Explorer, both of which allow extensions to do anything they want, Chrome uses a permission system for its extensions. All Chrome plugins must declare the permissions they need. When you install a plugin, you’ll see a list of the permissions it requires. This gives you some idea of what a plugin can do. For example, if an extension doesn’t require any permissions, it’s definitely safe to install. If an extension requires permission to access all the data on your computer, you should be sure the extension was created by someone you trust.

Very simple plugins, such as the Timer plugin, which displays a timer button on your browser toolbar and doesn’t interact with any websites, don’t need any permissions.

chrome install timer dialog   Why Do Chrome Plugins Need Access To All My Data and Browsing Activity?

Other plugins need different types of permissions, depending on what they do.

Access Your Data On All Websites

Plugins that interact with web pages need to declare the permissions “Access your data on all websites.” Plugins that need to see the addresses and titles of the websites you visit must declare the permission “Access your tabs and browsing activity“.

For example, LastPass is a password manager that needs to detect what website you’re visiting, automatically fill forms with your saved passwords, and detect when you’ve entered a password and offer to save it. The LastPass Chrome extension must ask for all these permissions because it needs to view the websites you’re accessing and run JavaScript code on the pages you visit.

chrome lastpass permissions warning   Why Do Chrome Plugins Need Access To All My Data and Browsing Activity?

Other less-invasive extensions may also request these permissions. Any extension that works by running JavaScript code on the websites you visit must be able to “Access your data on all websites“. For example, the colorPicker plugin allows you to select a color used on the current website and view its exact color code. It functions by running JavaScript code on the current page, so it must be able to access all your data.

Google has no way of knowing whether an extension that manipulates the pages you visit is doing something innocuous, like picking a color, or doing something more dangerous, such as spying on your credit card number and payment information.

colorpicker extension warning   Why Do Chrome Plugins Need Access To All My Data and Browsing Activity?

Extensions that only work on a single website, such as an extension that adds additional features to Gmail, will only have the permission to access your data on that specific website. Extensions like LastPass and colorPicker must run everywhere and need more permissions.

google mail checker permission warning   Why Do Chrome Plugins Need Access To All My Data and Browsing Activity?

Access All Data On Your Computer

Some Chrome plugins aren’t just Chrome extensions. They include NPAPI plugins. NPAPI plugins are essentially just programs that run on your computer. Browser plugins like Adobe Flash, Oracle Java, and Adobe’s PDF reader are all NPAPI plug-ins.

When a Chrome extension contains an NPAPI plugin, it has the permission to “Access all data on your computer and the websites you visit.” The NPAPI plugin runs just like a program on your computer with access to your everything on your system. You should be careful about installing Chrome plugins with this permission – it’s just like installing a program on your computer.

For example, LastPass has a special version of its Chrome plugin available from its website. This plugin has the ability to share your LastPass login state with other web browsers running on your computer. It works by using an NPAPI plugin that runs as a program on your computer.

lastpass binary extension warning   Why Do Chrome Plugins Need Access To All My Data and Browsing Activity?

Plugins In Other Browsers

While Chrome’s permission warning messages can seem a bit scary to some users, it’s important to consider that the situation is worse with other web browsers.

For example, when you install a Firefox add-on, the add-on has full permission to access your entire computer, if it wants. There’s no permission system in Firefox. The only limitation is Windows’ User Account Control, which prevents the add-on from running with administrator privileges.

If you pay attention while installing a Firefox add-on, you’ll see a similar warning message, although it’s less specific than Chrome’s warning message.

firefox extension installation warning message   Why Do Chrome Plugins Need Access To All My Data and Browsing Activity?

This also applies to all other software on your computer. When you install a Windows desktop application, it has full access to every file on your computer and the ability to monitor your browsing activity – if it wants to.

While it would be nice if Chrome’s extension permission system was more fine-grained, it would be extremely difficult to limit what more powerful extensions can do. To see a full list of Chrome plugin permission and a short explanation of each, read this page on Google’s website.

How much attention do you pay to permissions when you install Chrome plugins? Have you avoided installing plugins when they ask for lots of permissions, or does Chrome’s permission system provide so many warnings that you ignore them? Leave a comment and share your thoughts!

The comments were closed because the article is more than 180 days old.

If you have any questions related to what's mentioned in the article or need help with any computer issue, ask it on MakeUseOf Answers—We and our community will be more than happy to help.

17 Comments -

0 votes

sophie

Overly attached browser

0 votes

Sean A

Just a little to stalkerish but it is the best browser

0 votes

Lisa Santika Onggrid

I know my way around computers so the warnings are okay with me. Though it’s meant to ensure safety, it’ll scare common users or induce some sort of paranoia.Basic rules: If you don’t know the program asking you permissions, chances are they’re not meant to be there. Chrome is a pretty good browser but maybe not as user friendly.

0 votes

Anonymous

well..as long as a chrome extension gets the job done i dont really care what all permissions its asking for …though i definitely hope that it does not do anything malicious ..i dont know but i hope that google checks for such malicious stuff before it adds any extension to its store.

0 votes

Easton Wiki

I wish extensions required less memory. They all add up so quickly =(

0 votes

susendeep dutta

I don’t like to install many extensions in chrome as they too consume more RAM and I didn’t like the permissions at first sight.But after this article,it realized me of its importance.

0 votes

Arron Walker

I never really liked how the permissions worked in Chrome. I still don’t, but now I understand at least. I didn’t realise firefox did that – guess that’s one more reason to stick to chrome.

0 votes

Chris Hoffman

Yup, they made an effort in Chrome, at least. It’s helpful to realize that Firefox/the Windows Desktop don’t bother trying to use such permissions at all.

0 votes

Anonymous

They need to take this to the next level and explain WHY? Sometimes the reasons are not obvious. But if it listed explicity why it was accessing what it does then I could at least attempt to make a good choice.

0 votes

Kyle Venter

Ha, ha, ha, this article is brilliantly written but is quite a laugh. So, those of you who think denying an app permissions is protecting your privacy? All your information is already known by large secretive U.S corporations, they control the world and all of us like little puppets, using their media to herd us left or right. Don’t worry about plugins, Google already knows how fast you can walk, your gate and how many hairs you have on your left bumb cheek. I wouldn’t worry about plugins when military satellites can peer through your roof from space and in high definition.

0 votes

mohit kumar

Thanks for opening people’s minds.

I’m trying hard not to use google services/ products though.

0 votes

Kevin Wiley

Wow, providing the real scoop and even using your real name… Brave

0 votes

Chris Hoffman

Well, for the sake of argument, let’s accept that everything you said is true.

Even if this is true, installing a bad plugin could be a bad thing — a private citizen could spy on you to get your credit card number or online banking information and mess up your life.

0 votes

Kyle Venter

Well, yeh Chris you are absolutely correct in that, anyone can theoretically gain access through a plugin, but then again, these days anyone can anyway, through war driving on a simple Android smartphone, even WEP, WPA etc etc keys can be cracked with the correct algorithm. A private citizen can do this all if they so wished, I reckon the problems are much deeper than a simple hacker or a poor geek who has found a way to feed his starving family, like Robin of the Hood. As long as the poor keep getting poorer, and the rich Western piggies keep getting fatter and destroying our fragile ecology even more than they have already with among other things, Nuclear weapons and the dictation of ‘proper societal structuring’, as long as this continues, there will always be a ‘robin hood’ or, if he steals money from you or I, a ‘thief’, in the woodwork. The increasing of policing of the internet is just an extension of the already chaotic police society created by Western Fear paradigm, built through using the media to propagate mass fear where, in fact, the very cause of those terrorism acts where the gestapo’s actions in the first place. I wonder who the real people are that need to be feared? Let me just make clear that I in no way condone violence to bring about any change and I believe that the central problem in our modern society is greed, plain and simple, greed, it is why, the powerful want to control and it is why those made to suffer rise up in violent protest and action. I mean, if your kids where starving, what would you do? If bombs where falling out the sky, what would you do? This I am seeing here is simply another form of control by those who have power and priveledge, trying to steer the ‘sheep’ into the little boxes of control they they see as the route to providing the greatest profit for their greedy fat pale bellies. But no matter what you or I do or say, it will never change what ‘they’ want to happen. No amount of violence, hatred, killing, bribing, can stop what those in power wish to accomplish for their own benefit. That is, I am afraid, human nature and ultimate power corrupts, completely and totally, regardless of the ‘constitution’, man will always mold words to fit his/her objective. I just wish people would listen to the words of their forfathers, who knew about things such as greed, corruption and destruction. If we followed the wise of old we would not be doing this to ourselves and to our brothers and sisters. SO, in conclusion, Google will do what they want to do, we are the sheep and must follow, what was once completely ‘free’ will be made ‘controlled’ due to greed and glutony, not privacy and safety. One day when man has turned all that was good and clean into a twisted knot of filth, hate, greed and lust, then, maybe, then we will see in the mirror what we have become, me, you and I, included, and maybe then, we will all decide in one single moment, to treat others as we ourselves would like to be treated.

0 votes

Alberto Lerma

Too Long/Boring/Paranoid; Didn’t Read.

I have a ton of shit in my devices and guess what? IDGAF if anyone is watching. And I think that MUO is not the best place for your shitty pseudo-manifesto, maybe a personal blog would be better.

0 votes

mohit kumar

Firefox is the best browser in terms of usability of addons.

Further I don’t like Chrome because of privacy concerns. Why the hell I need a google account to install addons. Chrome webstore takes minutes to load. And if I use other chromium-based browsers, google doesn’t allow to install extensions, nor user scripts.

Basically, I don’t like to put all my eggs in one basket.

I prefer DuckDuckGo than google search.
Outlook/ Rediffmail over gmail.
Facebook/ Twitter over g+(worst social network).

0 votes

gemini

i cannot install ant addons asking for access all data. i may not have a problem if they collect my browsing history, since their function may well depend on it, but the thought that they can collect passwords (when it is not their main function) is quite scary. basically i can own a rolls royce that has a renault interior and i cannot buy any options because of these permissions.