Many extensions in the Chrome Web Store want to “read and change all your information on the websites y’all visit”. That sounds a petty dangerous—and it can be—but many extensions just need that permission to exercise their jobs.

Chrome Has a Permission Organisation, But Firefox and Internet Explorer Don’t

Annotation:
This slice was originally written in 2017. Since and then, Mozilla Firefox and Microsoft Edge have gained permission systems.

This may seem alarming, especially coming from something similar Firefox. But you but see this warning because Chrome has a permission system for its extensions, while Firefox and Internet Explorer don’t.
Every Firefox and Internet Explorer extension has full access to the entire browser, and can do anything it wants.

For example, when you install the Tampermonkey add-on in Firefox, you won’t see a permission warning at all. Simply that improver gains admission to your unabridged Firefox browser.

Unlike extensions for these other browsers, though, Chrome extensions must declare the permissions they need. When you install an extension, you’ll come across a list of the permissions it requires and you tin can brand an informed decision about whether to install the extension. It’s a flake similar the permissions system built into Android.

To use the aforementioned example, when yous install the Tampermonkey extension for Chrome, you’ll see information almost the permissions the extension requires.

Very unproblematic extensions don’t actually require any permissions. For instance, the official Google Hangouts extension just provides a toolbar icon yous can click to open a Google Hangouts chat window. Install it, and you won’t exist warned near whatever special permissions it requires.

Why Extensions Demand Permission to “Read and Change All Your Data”

Endeavour to install most extensions, however, and yous’ll exist warned well-nigh the permissions they require. The virtually scary looking one is probably “Read and change all your data on the websites you visit”. This means that the extension can view every web page you visit, modify those web pages, and even send data well-nigh that over the web.

For example, Google offers a Save to Google Bulldoze extension that allows y’all to right-click on whatsoever web folio or link and save that page to your Google Bulldoze. The extension requires the ability to “Read and alter all your data on the websites you visit”. But it needs this permission because, when you lot try to save content, the extension must be able to access the current spider web page and view its data.

Extensions that need to interact with spider web pages will virtually ever crave the “Read and change all your information on the websites you visit” permission. That’s why the Google Hangouts extension doesn’t inquire for this permission: It has no features that interact with an open spider web page in your browser.

Click around and you lot’ll quickly realize that most browser extensions offer features that interact with the current web page, from countersign managers that need to fill up passwords to lexicon extensions that demand to define words. That’southward why this permission is so mutual.

Extensions that but work on a single website may only crave the ability to “Read and change your data” on a specific website. For example, the official Google Mail Checker extension requires the permission to “Read and change your data on all google.com sites”.

Sure, this level of access would let an extension capture your passwords and credit card numbers or insert boosted advertisements into web pages. Only Google doesn’t know whether an extension volition use its permissions for good or evil. Many pop and legitimate extensions crave this permission, as there’south no other way they can interact with open up web pages.

Merely, it the permission alert makes you think twice earlier installing an extension you’re not sure nigh, that’s good. That’south why it’south at that place—information technology’s a reminder of how much admission you’re providing to your personal data whenever you install a browser extension.

Some Extensions Have Even Broader Permissions

Extensions can request quite a few other permissions, likewise. For example, the AVG Web TuneUp extension installed as part of the AVG antivirus requires the permission to read and change all your data on the websites yous visit, read and change your browsing history, modify your habitation page, change your search settings, change your starting time folio, manage your downloads, manage your apps, extensions, and themes, and communicate with cooperating native applications on your figurer.

RELATED:

Don’t Use Your Antivirus’ Browser Extensions: They Tin can Really Make Y’all Less Safe

We don’t recommend using your antivirus’southward browser extensions, and Chrome’s permissions system does a expert job of showing why in this case. This extension is very invasive and requires admission to almost every function of your browser. The permissions window helps warn you lot of the permissions you lot’ll be granting, so you can make an informed decision.

Even the scariest browser extension doesn’t take equally much access to your computer as a desktop program would, though. Normal Windows applications accept admission to your keystrokes and files, including your web browsers. That’south why you shouldn’t run a desktop application you don’t trust, just every bit yous shouldn’t install a browser extension you don’t trust.

Which Browser Extensions Should You Trust?

If you lot’re giving an extension access to all the websites you visit, that extension could potentially capture your online banking passwords and credit menu numbers or insert ads in the pages y’all view. It’s simply as dangerous for your web browsing data equally installing a desktop program, so you should treat the decision just as carefully.

In theory, browser extensions available in the Chrome Web Store, Mozilla Add-ons website, and Windows Store are monitored by Google, Mozilla, and Microsoft, respectively. The visitor in charge of the store tin can remove an addition from the store if it’due south doing something bad.

In reality, though, browser makers don’t test every extension—or every update to a legitimate extension—to confirm it’s safe. A browser maker will often just get effectually to removing an extension after information technology’s acquired problems for many people who take it installed.

If the extension requires quite a few permissions, you’ll take to evaluate it like you would a desktop programme. If the extension is created by a company yous trust—like the many extensions created by companies like Google, Microsoft, Twitter, Facebook—you know information technology’due south probable prophylactic. If the extension was created by someone you don’t know, exist more careful. If the extension is established and has a large number of users, skilful feedback in the store, and positive reviews on other websites, that’s a good sign. If information technology has mixed feedback or much fewer users, that’s a bad sign.

If you’re ever in incertitude, don’t install that extension. It’due south best to utilize as few extensions as possible to keep your browser fast, anyhow.

More browsers are adding permission systems, all the same. Microsoft Border uses Chrome-style extensions and will warn you about the permissions the extensions require. Firefox will besides move to Chrome-style extensions in the time to come.