The Architecture of Chrome Extension Permissions

Try Voice Writer - speak your thoughts and let AI handle the grammar: https://voicewriter.io

Voice Writer for Chrome: https://chromewebstore.google.com/det...

In this video, we learn about the architecture of Chrome extension permissions: from content scripts, popup pages, and service workers, I’ll explain how different components interact using message passing and why Chrome extensions require such strict security measures. We also go into Manifest V3, content security policies (CSP), and restrictions on using eval in extensions, and the threat model of why it was designed this way.

Blog post version of this video: https://voicewriter.io/blog/the-archi...

0:00 - Intro
1:24 - Manifest V2 and V3
1:43 - Manifest.json permissions
3:03 - Content scripts
4:59 - Background service workers
5:39 - Popup pages
7:00 - Example extension architecture
8:00 - Content security policies (CSP)
9:10 - Restrictions on eval and sandbox pages
10:47 - Security of this architecture
12:30 - Conclusion