Publishing to the Chrome Web Store requires navigating a complex set of policies designed to protect users. Understanding these policies before you build can save weeks of revision time. This guide covers the essential policies, common pitfalls, and strategies for approval.
The Policy Landscape
Chrome Web Store policies fall into several categories:
- Content policies: What your extension can and cannot do
- Privacy policies: How you handle user data
- Technical policies: How your extension is built
- Manifest policies: What you declare in manifest.json
Essential Permission Guidelines
Request Minimum Permissions
Only request permissions your extension absolutely needs. The review team will scrutinize broad permissions.
High-Scrutiny Permissions:
<all_urls>or broad host permissionstabs(especially with<all_urls>)webRequest/webRequestBlockingcookieshistorymanagement
// Bad: Overly broad permissions
{
"permissions": ["<all_urls>", "tabs", "cookies", "history"],
"host_permissions": ["*://*/*"]
}
// Good: Minimal permissions
{
"permissions": ["activeTab", "storage"],
"host_permissions": ["https://specific-api.com/*"]
}Use activeTab When Possible
activeTab is preferred over broad host permissions:
// With activeTab, you get temporary access to the current tab
// only when the user explicitly invokes your extension
chrome.action.onClicked.addListener(async (tab) => {
// Access granted for this tab only
await chrome.scripting.executeScript({
target: { tabId: tab.id },
func: () => {
// Your code here
}
});
});Justify All Permissions
Your store listing must explain why each permission is needed:
## Permissions Used
**activeTab**: Required to analyze the content of the current page when you click the extension icon.
**storage**: Saves your preferences and settings locally.
**identity**: Used for optional Google Sign-In to sync settings across devices.Data Handling Requirements
Privacy Policy
A privacy policy is required if your extension:
- Collects any user data
- Uses remote servers
- Includes analytics
- Has any login or account features
Your privacy policy must include:
- What data you collect
- How you use the data
- Whether you share data with third parties
- How users can delete their data
- Contact information
// Example Privacy Policy Structure
# Privacy Policy for [Extension Name]
## Data Collection
We collect the following data:
- Page URLs you explicitly choose to save (stored locally)
- Anonymous usage statistics (page views, feature usage)
## Data Usage
Saved URLs are stored locally on your device using Chrome's storage API.
Usage statistics help us improve the extension.
## Data Sharing
We do not sell or share your personal data with third parties.
Anonymous, aggregated usage data may be shared with analytics services.
## Data Deletion
You can delete all stored data by:
1. Going to extension options
2. Clicking "Clear All Data"
Or by uninstalling the extension.
## Contact
Email: privacy@yourextension.comLimited Use Policy
If you request access to user data (browsing history, emails, etc.), you must comply with the Limited Use policy:
- Only use data for the stated purpose
- Don’t transfer data except for the primary purpose
- Don’t use data for advertising
- Don’t use data for creditworthiness or lending decisions
Single Purpose Policy
Your extension must have a single, clear purpose. Multi-function “Swiss army knife” extensions are often rejected.
- Good: "Block ads on web pages" (one purpose)
- Good: "Save articles for later reading" (one purpose)
- Bad: "Block ads, manage passwords, and download videos" (multiple purposes)
If you need multiple features, they should all support a single cohesive purpose:
Purpose: "Improve online shopping experience"
- Feature 1: Price comparison
- Feature 2: Coupon finder
- Feature 3: Price history
→ All features support the single purposeCode Quality Requirements
No Obfuscated Code
Your extension code must be readable. Minification is allowed, but obfuscation is not.
// Allowed: Minified code
function a(b,c){return b+c}const d=a(1,2);
// Not allowed: Obfuscated code
var _0x3f2a=['\x68\x65\x6c\x6c\x6f'];function _0x1b2c(){return _0x3f2a[0];}If using bundlers, provide source maps or unminified source code during review if requested.
Remote Code Prohibition
Extensions cannot execute remotely hosted code. All JavaScript must be included in the extension package.
// Not allowed: Loading external scripts
const script = document.createElement('script');
script.src = 'https://example.com/code.js';
document.body.appendChild(script);
// Not allowed: eval with remote content
const code = await fetch('https://api.com/code');
eval(await code.text());
// Allowed: Remote data (not code)
const config = await fetch('https://api.com/config.json');
const settings = await config.json();
applySettings(settings);User-Initiated Actions
Many operations require explicit user action:
// Good: User-initiated permission request
document.getElementById('enable-feature').addEventListener('click', async () => {
const granted = await chrome.permissions.request({
permissions: ['history']
});
if (granted) {
enableHistoryFeature();
}
});
// Bad: Auto-requesting on install
chrome.runtime.onInstalled.addListener(() => {
chrome.permissions.request({ permissions: ['history'] }); // Will be rejected
});Common Rejection Reasons
1. Misleading Functionality
Your extension must do what it claims. Don’t:
- Overstate capabilities in the description
- Use clickbait titles
- Imply affiliation with other companies
2. Keyword Spam
Don’t stuff your listing with keywords:
// Bad
Photo Editor - Photo, Edit, Image, Picture, Filter, Enhance,
Retouch, Crop, Resize, Rotate, Free Photo Editor
// Good
Photo Editor - Quick edits for your browser
Easily crop, resize, and apply filters to images directly in Chrome.3. Poor User Experience
Extensions that:
- Inject unexpected ads
- Change user settings without consent
- Are difficult to uninstall
- Slow down browsing significantly
Will be rejected or removed.
4. Insufficient Functionality
Extensions must provide real value. Very simple extensions might be rejected:
// Likely rejected: Too simple
chrome.action.onClicked.addListener(() => {
alert('Hello!');
});
// Better: Provides actual value
chrome.action.onClicked.addListener(async (tab) => {
const result = await chrome.scripting.executeScript({
target: { tabId: tab.id },
func: analyzePageReadability
});
showReadabilityReport(result);
});Review Process Tips
Before Submission
- Test thoroughly on multiple sites
- Review your manifest for unnecessary permissions
- Prepare justification for each permission
- Complete your privacy policy
- Take quality screenshots (1280x800 recommended)
During Review
Reviews typically take 1-3 business days. Factors affecting review time:
- New developer accounts take longer
- Broad permissions require deeper review
- Holiday periods have longer queues
If Rejected
- Read the rejection email carefully - it specifies the policy violation
- Don’t argue - fix the issue and resubmit
- Be specific in your appeal if you believe it’s an error
- Use the one-appeal policy wisely - appeals are limited
Manifest V3 Requirements
As of 2024, new extensions must use Manifest V3:
{
"manifest_version": 3,
"name": "My Extension",
"version": "1.0.0",
"action": {
"default_popup": "popup.html"
},
"background": {
"service_worker": "background.js"
},
"content_security_policy": {
"extension_pages": "script-src 'self'; object-src 'self'"
}
}Key MV3 changes:
- Service workers instead of background pages
chrome.declarativeNetRequestinstead ofwebRequestBlocking- No remote code execution
- Stricter CSP defaults
Summary
Successful Chrome Web Store publishing requires understanding and respecting user privacy, requesting minimal permissions, and providing clear value. Build compliance into your development process rather than trying to fix issues after rejection.
Checklist before submission:
- Minimal permissions requested
- Privacy policy completed
- Single, clear purpose defined
- No obfuscated code
- No remote code execution
- Quality screenshots and description
- Tested on multiple sites
- All permissions justified in listing