host_permissions
Type | Array |
---|---|
Mandatory | No |
Manifest version | 3 or higher |
Example |
json
|
Use the host_permissions
key to request access for the APIs in your extension that read or modify host data, such as cookies
, webRequest
, and tabs
. This key is an array of strings, and each string is a request for a permission.
Requested permissions and user prompts
Users can grant or revoke host permissions on an ad hoc basis. Therefore., most browsers treat host_permissions
as optional.
On installation, when you request permissions using this key:
- Until Firefox 126, a Manifest V3 extension's requested host permissions weren't displayed in the install prompt. From Firefox 127, host permissions listed in
host_permissions
andcontent_scripts
are displayed in the install prompt. However, if an extension update requests new host permissions, these are not shown to the user. See (Firefox bug 1893232). - Chrome displays the permissions in the install prompt.
- Safari doesn't display requested host permissions in the install prompt.
Your extension can check whether it has all the required permissions immediately after installation using permissions.contains
. If it doesn't have the necessary permissions, it can request them using permissions.request
. Providing an onboarding step to explain why some permissions are necessary before requesting them might also be helpful.
As the request to grant host permissions may impact users' willingness to install your extension, requesting host permissions is worth careful consideration. For example, you want to avoid requesting unnecessary host permissions and may want to provide information about why you are requesting host permissions in your extension's store description. The article Request the right permissions provides more information on the issues you should consider.
For information on how to test and preview permission requests, see Test permission requests on the Extension Workshop site.
Format
Host permissions are specified as match patterns, and each pattern identifies a group of URLs for which the extension is requesting extra privileges. For example, a host permission could be "*://developer.mozilla.org/*"
.
The extra privileges include:
- XMLHttpRequest and fetch access to those origins without cross-origin restrictions (though not for requests from content scripts, as was the case in Manifest V2).
- the ability to read tab-specific metadata without the "tabs" permission, such as the
url
,title
, andfavIconUrl
properties oftabs.Tab
objects. - the ability to inject scripts programmatically (using
tabs.executeScript()
) into pages served from those origins. - the ability to receive events from the
webrequest
API for these hosts. - the ability to access cookies for that host using the
cookies
API, as long as the"cookies"
API permission is also included. - bypassing tracking protection for extension pages where a host is specified as a full domain or with wildcards.
In Firefox extensions get host permissions for their origin, which is of the form:
moz-extension:/
where 60a20a9b-1ad4-af49-9b6c-c64c98c37920
is the extension's internal ID. The extension can get this URL programmatically by calling extension.getURL()
:
browser.extension.getURL("");
// moz-extension://60a20a9b-1ad4-af49-9b6c-c64c98c37920/
Example
"host_permissions": ["*://developer.mozilla.org/*"]
Request privileged access to pages under developer.mozilla.org
.
Example extensions
Browser compatibility
BCD tables only load in the browser