Skip to content
BSWEN
Blog

How to Restrict Chrome Extension Site Access Permissions

Cowrie
Cowrie
Dev @ Bswen

I discovered something unsettling last week. A browser extension I’d installed months ago was reading my ChatGPT conversations and selling that data to advertisers. This extension had “On all sites” permission, and I never thought twice about it when I clicked “Add to Chrome.”

Sound familiar? You’ve probably installed dozens of extensions over the years. Each one asked for permissions, and you clicked “Allow” without reading the fine print. Now those extensions might be tracking everything you do online.

The good news: Chrome lets you restrict most extensions to only work on specific sites. The bad news: Most people don’t know this feature exists.

Let me show you how to lock down your extensions and stop the data harvesting.

The Problem: What “On All Sites” Really Means

When you see “This extension can read and change site data on all sites,” Chrome isn’t exaggerating. An extension with this permission can:

  • Read every word you type on any website
  • Access your cookies and local storage
  • See your browsing history (if granted)
  • Read your clipboard contents
  • Inject code into banking sites, email, anywhere
What extensions can access
// An extension with "On all sites" can do this on EVERY website:
document.body.innerHTML  // Read entire page content
document.forms           // Access all forms (including passwords)
document.cookie          // Read cookies
localStorage             // Access stored data
navigator.clipboard.readText()  // Read clipboard (if permission granted)

Some extensions are legitimate. They need broad access to do their job (ad blockers, password managers). But others are data harvesting operations wrapped in helpful packaging.

The Reddit thread that opened my eyes mentioned that shopping extensions track purchases across all stores, AI assistants read private conversations, and some extensions inject ads into banking websites.

Three Levels of Site Access

Chrome offers three permission levels for extensions:

LevelWhat It MeansPrivacy Risk
On all sitesExtension can access every website you visitHIGH
On specific sitesExtension only works on domains you allowLOW
On clickExtension only activates when you click its iconLOWEST

“On click” is the sweet spot for most extensions. The extension stays dormant until you need it, then deactivates when you’re done.

Surprisingly, many extensions work perfectly with “On click.” One Reddit user reported that Dark Reader, a popular dark mode extension, works fine with restricted access. If a dark mode extension can function on-demand, most others can too.

Step-by-Step: Restricting Extension Permissions

Method 1: The Extensions Page

This is the most comprehensive approach:

  1. Open Chrome and type chrome://extensions in the address bar
  2. Find the extension you want to restrict
  3. Click the “Details” button on that extension
  4. Scroll down to “Site access”
  5. Change from “On all sites” to either:
    • “On specific sites” (then add the domains)
    • “On click” (recommended for most extensions)

Here’s what the URL shortcuts look like:

Chrome URL shortcuts
chrome://extensions              - Main extensions page
chrome://settings/content        - Site settings overview
chrome://settings/privacy        - Privacy settings

Method 2: From the Toolbar

For quick changes:

  1. Click the puzzle piece icon (top right of Chrome)
  2. Find your extension in the dropdown
  3. Click the three dots menu next to it
  4. Select “This can read and change site data”
  5. Choose your preferred level

Method 3: While on a Specific Website

  1. Navigate to the website where you want to change access
  2. Click the extension’s icon in the toolbar
  3. You’ll see the current access level
  4. Click to modify access for this specific site

When Extensions Won’t Let You Restrict

Here’s where things get complicated. Some extensions gray out the site access options, preventing you from restricting them.

Why? The developer set required permissions in the extension’s manifest.json:

manifest.json (required permissions)
{
  "host_permissions": [
    "<all_urls>"  // This forces "On all sites" - user cannot change it
  ]
}

This is a developer-controlled setting. When an extension declares <all_urls> as a required permission, Chrome doesn’t let users override it.

Your options when an extension can’t be restricted:

  1. Trust the extension - Only if it’s open source and auditable
  2. Remove it - If you don’t absolutely need it
  3. Find an alternative - Look for extensions with better permission practices
  4. Use a separate browser profile - Isolate the extension

Keepa is a good example of responsible development. This Amazon price tracker only requests access to Amazon.com by default. The developer intentionally limited permissions to only what’s needed.

How to Inspect Extension Permissions

Want to see exactly what permissions an extension requests? You can inspect the manifest file directly:

Find extension manifest (macOS)
cd ~/Library/Application\ Support/Google/Chrome/Default/Extensions/
ls -la  # List all extension IDs
cd EXTENSION_ID/version/
cat manifest.json | grep -A 20 '"permissions"'
cat manifest.json | grep -A 10 '"host_permissions"'
Find extension manifest (Windows)
cd %LOCALAPPDATA%\Google\Chrome\User Data\Default\Extensions\
dir  # List all extension IDs
cd EXTENSION_ID\version\
type manifest.json | findstr "permissions"

Red flags to watch for:

Suspicious permissions
// CRITICAL - Wants access to everything
"host_permissions": ["<all_urls>"]
"host_permissions": ["*://*/*"]


// HIGH RISK - Can read sensitive data
"permissions": ["clipboardRead", "history", "tabs", "cookies"]


// SUSPICIOUS - Look for these in .js files:
// fetch("https://external-server.com/collect")

Beyond Site Access: Other Privacy Settings

Site access is just the beginning. Chrome has several other permission categories worth checking:

1. Protected Content IDs

Settings > Privacy and security > Site settings > Protected content IDs

Extensions shouldn’t need this for basic functionality. This relates to DRM content.

2. Clipboard Access

Extensions with clipboardRead permission can see anything you copy. This includes passwords you copy from your password manager.

Only password managers truly need this. A shopping extension has no business reading your clipboard.

3. Third-Party Sign-In

Settings > Privacy and security > Site settings > Third-party sign-in

Allows extensions to use your Google or Facebook login. Disable unless you explicitly trust the extension.

4. Payment Handlers

Settings > Privacy and security > Site settings > Payment handlers

Extensions shouldn’t handle payments unless that’s their core purpose.

5. Background Service Workers

Check background activity
Open: chrome://service-workers

This shows which extensions run continuously in the background. Extensions with persistent background access are more intrusive. Look for:

  • Periodic network requests to unknown servers
  • Constant CPU usage
  • Activity when you’re not using the extension

Setting Up Isolated Browser Profiles

For extensions you need but don’t fully trust, create a dedicated Chrome profile:

  1. Click your profile icon (top right)
  2. Click “Add” to create a new profile
  3. Name it “Shopping” or “Work Tools”
  4. Install the extension only in this profile
  5. Use this profile ONLY for that specific purpose

Why this works:

  • Extensions are profile-specific
  • Data doesn’t leak between profiles
  • Your main browsing stays isolated
Profile isolation diagram
Main Profile          Shopping Profile
    |                      |
Personal browsing    Shopping extensions
Email, Banking       Price trackers
No extensions        Deals sites

Practical Examples by Extension Type

Here’s how I configured my extensions:

Extension TypeRecommended SettingWhy
Price trackersOn specific sites (amazon.com, etc.)Only need access where you shop
Dark modeOn clickActivate only when needed
Grammar checkersOn specific sites (email, docs)Only where you write
Password managersOn all sites (but verify it’s trusted)Need to fill forms everywhere
Ad blockersOn all sites (use open source only)Must block ads on every page
Screenshot toolsOn clickOnly need access when capturing

The key insight: most extensions don’t need permanent access to every website.

Developer Perspective: Why Some Extensions Can’t Be Restricted

Understanding how permissions work helps you make better decisions.

Extensions can declare permissions in two ways:

Required vs optional permissions
{
  // Required - user cannot restrict
  "host_permissions": [
    "https://specific-site.com/*"
  ],


  // Optional - user controls at runtime
  "optional_host_permissions": [
    "https://*/*",
    "http://*/*"
  ]
}

Responsible developers use optional_host_permissions. This lets the extension request access only when needed, and users can grant it site-by-site.

Chrome’s documentation puts it clearly:

“Use optional permissions to improve the onboarding experience by requesting permissions at runtime. This lets you provide more context around a particular permission and lets users choose which features they want to enable.”

If an extension developer doesn’t offer optional permissions, ask yourself: why do they need permanent, unrestricted access?

My Audit Process

After learning about extension risks, I audited all my installed extensions:

  1. Went to chrome://extensions
  2. For each extension, clicked “Details”
  3. Checked “Site access” setting
  4. If “On all sites” - asked: “Does this extension NEED all-site access?”
  5. If no - changed to “On click” or “On specific sites”
  6. If the extension wouldn’t let me change it - evaluated whether to keep it
  7. Removed 4 extensions I didn’t actually need
  8. Created a separate profile for 2 shopping extensions

The whole process took about 15 minutes. The result: my extensions went from having access to everything to having access only where needed.

Key Takeaways

  1. “On click” works for most extensions. Try this first. If the extension breaks, adjust to “On specific sites.”

  2. Some extensions can’t be restricted. This is developer-controlled. If an extension won’t let you limit access, decide if the privacy risk is worth it.

  3. Good developers limit their own permissions. Keepa only requests Amazon access. Dark Reader is open source and trustworthy. Look for these patterns.

  4. Check beyond site access. Clipboard, third-party sign-in, payment handlers, and background workers all matter.

  5. Use separate profiles for risky extensions. Complete isolation when you can’t verify trust.

  6. Audit regularly. Every few months, review extensions. Remove what you don’t use. Restrict what you keep.

The Reddit insight about extensions reading ChatGPT conversations and selling that data is real. Your browsing data has value. Companies are buying and selling your activity right now.

Take 5 minutes today to restrict your extension permissions. Your future self will thank you.

Final Words + More Resources

My intention with this article was to help others share my knowledge and experience. If you want to contact me, you can contact by email: Email me

Here are also the most important links from this article along with some further resources that will help you in this scope:

Oh, and if you found these resources useful, don’t forget to support me by starring the repo on GitHub!

Comments

Tags: