Resources / Security

Extension Security (MV3)

Reduce attack surface and meet enterprise expectations with clear, practical controls.

CSP Permissions Secrets Telemetry Incident Response

Threat modeling for extensions

Map data & boundaries

  • Data in/out and trust boundaries across page ↔ content script ↔ service worker ↔ backend.
  • Spoofing, injection, and elevation paths between components.
  • Third-party surfaces (iframes, CDNs, APIs) and least trust.

Controls

  • Explicit message contracts with validation.
  • Origin checks and user-gesture gates for sensitive actions.
  • Telemetry on denials and unusual flows.

Permissions strategy

Principles

  • Least privilege across host and API permissions.
  • Prefer optional permissions with explicit user triggers.
  • Narrow host patterns; avoid wildcards when feasible.

Practice

  • Explain & justify each permission in copy and privacy labels.
  • Log permission grants; allow easy revocation.
  • Review permission drift in release checklists.

Content Security Policy (CSP)

Lock it down

  • Block inline; use hashes/nonce for strict script/style control.
  • Restrict connect/img/media to known domains only.
  • Separate policies for extension pages vs. content scripts.

Operate safely

  • Audit CSP reports; fix noisy allowances.
  • Keep third-party inclusions to a minimum.
  • Validate DOM writes; sanitize inputs.

Secret management

Core rules

  • No long-lived secrets in client code where avoidable.
  • Use backend proxies and short-lived tokens.
  • Rotate tokens; scope narrowly.

Implementation

  • Gate secrets behind user identity & roles.
  • Encrypt at rest and scrub logs/telemetry.
  • Automate key rotation and deprovisioning.

Dependency hygiene

Guardrails

  • Pin versions and audit regularly (supply-chain risks).
  • Evaluate popularity & maintenance signals.
  • Minimal transitive trees; avoid bloat.

Cadence

  • Routine updates with changelog reviews.
  • Block builds on critical advisories.
  • Track binary artifacts; verify integrity.

Telemetry & privacy

Privacy controls

  • PII stripping and event sampling by default.
  • Clear consent and opt-out pathways.
  • Defined retention windows per data type.

Useful signals

  • Error context + trace IDs for root cause.
  • Queue drain time, retries/backoff metrics.
  • Permission grant/revoke events.

Incident response

Plan

  • Monitoring and alert thresholds tied to SLOs.
  • Rollback paths and feature flags.
  • Comms templates for users/reviewers.

Operate

  • Runbooks for known failure modes.
  • Drills and post-incident reviews.
  • Audit trail & evidence capture.
Harden My Extension View Retainer Options
Read: Extension Architecture