Building a Chrome Extension with Zero Unnecessary Permissions
<p>Every time I install a Chrome extension, I check the permissions. Most tab managers ask for:</p> <ul> <li>"Read and change all your data on all websites"</li> <li>"Read your browsing history"</li> <li>"Manage your downloads"</li> </ul> <p>For a tab manager. To save URLs.</p> <p>When I built Tab Stash, I wanted to prove you could build a genuinely useful extension with minimal permissions. Here's how.</p> <h2> The Permission Problem </h2> <p>Chrome's permission model is coarse-grained. The <code>tabs</code> permission, for example, gives you access to tab URLs and titles — but it also signals to users that you can "read your browsing activity." That's technically true, but it scares people.</p> <p>Many developers just request everything upfront because it's easier. That's the wrong trade
Every time I install a Chrome extension, I check the permissions. Most tab managers ask for:
-
"Read and change all your data on all websites"
-
"Read your browsing history"
-
"Manage your downloads"
For a tab manager. To save URLs.
When I built Tab Stash, I wanted to prove you could build a genuinely useful extension with minimal permissions. Here's how.
The Permission Problem
Chrome's permission model is coarse-grained. The tabs permission, for example, gives you access to tab URLs and titles — but it also signals to users that you can "read your browsing activity." That's technically true, but it scares people.
Many developers just request everything upfront because it's easier. That's the wrong trade-off.
What Tab Stash Actually Needs
Tab Stash saves your open tabs as Markdown. Here's the minimum set of permissions for that:
{ "permissions": ["activeTab"], "optional_permissions": ["tabs"] }{ "permissions": ["activeTab"], "optional_permissions": ["tabs"] }Enter fullscreen mode
Exit fullscreen mode
That's it. activeTab gives us access to the current tab when the user clicks our icon. The tabs permission is optional — we only request it when the user wants to save ALL open tabs, and Chrome shows a prompt first.
The Architecture
The extension is straightforward:
popup.html (UI) ├── popup.js (tab capture + display) ├── storage.js (chrome.storage.local wrapper) ├── export.js (Markdown formatting) └── settings.js (format preferences)popup.html (UI) ├── popup.js (tab capture + display) ├── storage.js (chrome.storage.local wrapper) ├── export.js (Markdown formatting) └── settings.js (format preferences)Enter fullscreen mode
Exit fullscreen mode
No background scripts running 24/7. No content scripts injected into pages. The extension only activates when you click it.
Saving Tabs
The core function is embarrassingly simple:
async function captureCurrentTabs() { const tabs = await chrome.tabs.query({ currentWindow: true });async function captureCurrentTabs() { const tabs = await chrome.tabs.query({ currentWindow: true });return tabs.map(tab => ({ title: tab.title, url: tab.url, favIconUrl: tab.favIconUrl, savedAt: Date.now() })); }`
Enter fullscreen mode
Exit fullscreen mode
Exporting as Markdown
The export module handles multiple formats:
function toMarkdownLinks(tabs) { return tabs .map(t => function toMarkdownLinks(tabs) { return tabs .map(t => ) .join('\n'); }) .join('\n'); }function toWikiLinks(tabs) {
return tabs
.map(t => - [[${t.title}]])
.join('\n');
}
function toNumberedList(tabs) {
return tabs
.map((t, i) => ${i + 1}. [${t.title}](${t.url}))
.join('\n');
}`
Enter fullscreen mode
Exit fullscreen mode
Local Storage Only
Everything persists in chrome.storage.local:
async function saveSession(name, tabs) { const session = { name, tabs, createdAt: Date.now(), id: crypto.randomUUID() };async function saveSession(name, tabs) { const session = { name, tabs, createdAt: Date.now(), id: crypto.randomUUID() };const { sessions = [] } = await chrome.storage.local.get('sessions'); sessions.unshift(session); await chrome.storage.local.set({ sessions });
return session; }`
Enter fullscreen mode
Exit fullscreen mode
No server, no database, no sync service. The user's data never leaves their machine.
File Export
For the auto-export feature, we use the downloads permission (requested only when the user enables file export):
async function exportAsFile(session, format) { const content = formatSession(session, format); const blob = new Blob([content], { type: 'text/markdown' }); const url = URL.createObjectURL(blob);async function exportAsFile(session, format) { const content = formatSession(session, format); const blob = new Blob([content], { type: 'text/markdown' }); const url = URL.createObjectURL(blob);await chrome.downloads.download({
url,
filename: tab-stash/${session.name}.md,
saveAs: false
});
URL.revokeObjectURL(url); }`
Enter fullscreen mode
Exit fullscreen mode
Results
Tab Stash weighs in at ~15KB total. It loads instantly, uses zero memory when not active, and requests only the permissions it needs when it needs them.
The permission-minimal approach actually forced better architecture decisions. When you can't spy on everything, you have to think carefully about what data you actually need.
Tab Stash on Chrome Web Store | Source on GitHub
What's your approach to Chrome extension permissions? I'm curious if others think about this as much as I do.
DEV Community
https://dev.to/pmestreforge/building-a-chrome-extension-with-zero-unnecessary-permissions-3cj5Sign in to highlight and annotate this article
Conversation starters
Daily AI Digest
Get the top 5 AI stories delivered to your inbox every morning.
More about
modelservicefeature
China Issues Draft Rules on Interactive AI Services - Mayer Brown
<a href="https://news.google.com/rss/articles/CBMisAFBVV95cUxNeDI2LThNcmFfdFllRUJCelpGdUlNM3FaeGVDTmM4Uzhoa3J2c0RfNzVlczJhMDJHMHo0dFBtR3U5QUhjYXJfV3ZTQnNSeHdwT2ViSVRQRy1YVEJCMkJLbXJEb0kzNVFuZ00xT05nYzVOX2haOWJRMlZfZjRHZkNxRWhJUWxUZkttMTY1eVR3eUdpZFZqXzEwRTVxbWZ0UkFJYU82NEFGMzdEWWpvR3FXbw?oc=5" target="_blank">China Issues Draft Rules on Interactive AI Services</a> <font color="#6f6f6f">Mayer Brown</font>
Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models - WSJ
<a href="https://news.google.com/rss/articles/CBMiuANBVV95cUxOOGItWGdQMGlaeThwcnNieE40a05Ed19xRnlsYm9XdXdhTk9yc2NvWDU3Y3EwTDZNb2kzQ1Z1T0RIcEZlZDBNRTNTUG1LQ0I4cVZEQUZEcXhqREk5RllkS3EzTU10eHNrcWFDQ0lEdmYxaTBNMi1iMWMxS0t3bHpOSWt2bXhQcGxMOFFEWVNhN29HNVpmVkIwVXc2UmEtOFBpMnJvMi1rRkVxcWt2LWVvdnItNkllR1gyano3VEpPQVZNdTZWRkFvcWdWRm5QSmtTYmE2ajhnQ0picndQNE0xd21fdG1RWFpjcFFiRHh2OVRYMTVBclg2RTJvM1ZxZ0lmOWJrQV91S05kbjhXM3B6Z3BMeGJiY2tzMVNpNzZaNW91QjM4VFJIazVFOFRGSDJBdWg4ZXY3VUVvQnhkc3BIWjU2d0M3Uk1PdXZjOFR0QnplZmJQQkl6QVhNaEgzUG53RWwxdmRFNng5Q3pqc0hBaHNrTFVobk1iVV9PNnh2NEpGVEZ0TGZrUWNEZjlWMDNjWVZyV0UzZndPZ2I1dUtZWDN5TFJMUklkc1hoNWYwMEpRMkZJbEwxcQ?oc=5" target="_blank">Exclusive | Caltech Researchers Claim Radical Compression of High-Fidelity AI Models</a> <font color="#6f6f6f">WSJ</font>
Knowledge Map
Connected Articles — Knowledge Graph
This article is connected to other articles through shared AI topics and tags.
More in Products
Hershey applies AI across its supply chain operations - AI News
<a href="https://news.google.com/rss/articles/CBMipgFBVV95cUxQVFVqanBsaEJOaTVyRHFPaUt2QVV4Q045bW1ZdUlMUUZJdEJJWXFqUHdPZmhtRl9xLXNJWkd4TG1yc2NhalFFY2d0c3A3WU5keVZBcHVQOTkybVQyTlBCd3Jxek0zczFSOEdUM0lOaGZOZjB4WTBkSjByY0g1eURUN3c0RHk0U3FyRjZGZEhHNVotUnN6MWUwMHNuTzUtSHlLYjQ0RWJR?oc=5" target="_blank">Hershey applies AI across its supply chain operations</a> <font color="#6f6f6f">AI News</font>
The Top 100 Gen AI Consumer Apps — 6th Edition - Andreessen Horowitz
<a href="https://news.google.com/rss/articles/CBMiS0FVX3lxTE1odTRIQk11RzgyYmQzdmplaDdWNVJxWU8zNnVrd3VaT19JRDlfSDRWMEp4TWx3NkVPU0I0QTVtT2E1SmlVWEpRYmtJMA?oc=5" target="_blank">The Top 100 Gen AI Consumer Apps — 6th Edition</a> <font color="#6f6f6f">Andreessen Horowitz</font>
The AI Video Apps Gaining Ground After OpenAI Declared Sora Dead - Bloomberg.com
<a href="https://news.google.com/rss/articles/CBMi4AFBVV95cUxNRmVodXNBRDJ2ZVNUd3lWUUpXSFRCcExNV3lXVl90OEdWcU03VjNmZG1nMFZ0WVIzbUpBcWRTV2owN180c1AzeUE3c1hqMTV2ZEk5dkdaM1pVYlZtb243aVlFZjRydFVGVV9ITm5SM29SNm5TN3dpRzByeV9ieXJrbERkMHkwYXlmM3EtY0g3UTk4WC1MOUNLcVp0TXJhZm5rTEZYdEVKWGJReTRWdVlwVmhXcENFVld0N2NEV1IwUDlZOXFxdDVjSjFyOFc1SlBhVkt0Y2o0elduMGFPcjREQg?oc=5" target="_blank">The AI Video Apps Gaining Ground After OpenAI Declared Sora Dead</a> <font color="#6f6f6f">Bloomberg.com</font>
Discussion
Sign in to join the discussion
No comments yet — be the first to share your thoughts!