Opinion: Chrome extension permission justifications should be public in the Web Store
Google Chrome team is making a lot of positive changes to how permissions are declared and scoped in the manifest v3. Requesting extension permissions at runtime as it’s done on the mobile app platforms makes a lot of sense. It creates an opportunity to educate users why specific permission is needed and also gives an opportunity to deny the permission. Overall, this should create a more secure and transparent extension ecosystem.
Where the system still falls short is the required permissions. You can continue to list all permissions as required and Chrome will continue to prompt users with the most abstract, scary sounding installation dialogs. I once lost half of my active extension users, because I whitelisted one externally_connectable domain. Chrome conveniently prompted users if they are okay with the extension communicating to websites. I don’t remember the exact wording. But it sounded threatening and it did not even mention which domain was whitelisted. I can’t blame users for uninstalling my extension.
Chrome Web Store has recently started requesting developers to provide written justifications for the required permissions in the submission process. I think similar information should be provided to the end-users in the Web Store as well. This would give developers a chance to plead their case and explain some of the less common permissions.
I understand that this puts more burden on the end user to comprehend the justification. But it could be the extra bit of transparency that is needed to restore user trust in the extension platform.