If you’ve installed Chrome plugins, you’ve probably seen a warning that they can access your data on all websites, your tabs and browsing activity, or even all the data on your computer. This warning can be scary, especially if you’re installing a simple browser extension that looks harmless.
Chrome has a permissions system, just like Android does. Unfortunately, the way web browsers and web pages work means that extensions must ask for quite a few permissions to do simple things. Chrome’s permissions system is not particularly fine-grained.
Unlike Mozilla Firefox and Internet Explorer, both of which allow extensions to do anything they want, Chrome uses a permission system for its extensions. All Chrome plugins must declare the permissions they need. When you install a plugin, you’ll see a list of the permissions it requires. This gives you some idea of what a plugin can do. For example, if an extension doesn’t require any permissions, it’s definitely safe to install. If an extension requires permission to access all the data on your computer, you should be sure the extension was created by someone you trust.
Very simple plugins, such as the Timer plugin, which displays a timer button on your browser toolbar and doesn’t interact with any websites, don’t need any permissions.
Other plugins need different types of permissions, depending on what they do.
Access Your Data On All Websites
Plugins that interact with web pages need to declare the permissions “Access your data on all websites.” Plugins that need to see the addresses and titles of the websites you visit must declare the permission “Access your tabs and browsing activity“.
Google has no way of knowing whether an extension that manipulates the pages you visit is doing something innocuous, like picking a color, or doing something more dangerous, such as spying on your credit card number and payment information.
Extensions that only work on a single website, such as an extension that adds additional features to Gmail, will only have the permission to access your data on that specific website. Extensions like LastPass and colorPicker must run everywhere and need more permissions.
Access All Data On Your Computer
Some Chrome plugins aren’t just Chrome extensions. They include NPAPI plugins. NPAPI plugins are essentially just programs that run on your computer. Browser plugins like Adobe Flash, Oracle Java, and Adobe’s PDF reader are all NPAPI plug-ins.
When a Chrome extension contains an NPAPI plugin, it has the permission to “Access all data on your computer and the websites you visit.” The NPAPI plugin runs just like a program on your computer with access to your everything on your system. You should be careful about installing Chrome plugins with this permission – it’s just like installing a program on your computer.
For example, LastPass has a special version of its Chrome plugin available from its website. This plugin has the ability to share your LastPass login state with other web browsers running on your computer. It works by using an NPAPI plugin that runs as a program on your computer.
Plugins In Other Browsers
While Chrome’s permission warning messages can seem a bit scary to some users, it’s important to consider that the situation is worse with other web browsers.
For example, when you install a Firefox add-on, the add-on has full permission to access your entire computer, if it wants. There’s no permission system in Firefox. The only limitation is Windows’ User Account Control, which prevents the add-on from running with administrator privileges.
If you pay attention while installing a Firefox add-on, you’ll see a similar warning message, although it’s less specific than Chrome’s warning message.
This also applies to all other software on your computer. When you install a Windows desktop application, it has full access to every file on your computer and the ability to monitor your browsing activity – if it wants to.
While it would be nice if Chrome’s extension permission system was more fine-grained, it would be extremely difficult to limit what more powerful extensions can do. To see a full list of Chrome plugin permission and a short explanation of each, read this page on Google’s website.
How much attention do you pay to permissions when you install Chrome plugins? Have you avoided installing plugins when they ask for lots of permissions, or does Chrome’s permission system provide so many warnings that you ignore them? Leave a comment and share your thoughts!