activeTab

This permission is a safer alternative to asking for broad host permissions like <all_urls>. Use it when your extension's core functionality is "on-demand" and triggered by the user for a specific page.

Examples:

• A page-scraping extension that the user clicks to extract data from the current page.
• An extension that modifies the CSS of the current page (e.g., a "dark mode" toggle).
• A "save to service" button that needs the URL and title of the current page.

The activeTab permission is declared in the permissions array. It does not require any host permissions.

{
  "name": "My ActiveTab Extension",
  "version": "1.0",
  "manifest_version": 3,
  "permissions": [
    "activeTab",
    "scripting"
  ],
  "action": {
    "default_title": "Click me!"
  }
}

Note: You also need the scripting permission to use chrome.scripting.executeScript.

Why is it not risky?

This is one of the safest permissions. Think of it as giving an extension a temporary, one-time pass to the website you're currently viewing.

It only works when you click the extension's icon in your toolbar. The permission goes away as soon as you close or leave the page. Because you are always in control and the access isn't permanent, the risk of an extension secretly spying on you is almost zero. This is the preferred way for extensions to ask for access to a page.

Here's how you can inject a script into the active tab when the user clicks the extension's action icon.

// background.js

chrome.action.onClicked.addListener((tab) => {
  // The 'tab' object is automatically provided by the listener,
  // and activeTab grants us permission to script on its host.
  chrome.scripting.executeScript({
    target: { tabId: tab.id },
    func: () => {
      document.body.style.backgroundColor = 'lightblue';
    }
  });
});