The gcm permission grants an extension access to chrome.gcm, an API for receiving server-sent push messages. The "GCM" branding is legacy — Google Cloud Messaging was rebranded to Firebase Cloud Messaging (FCM) in 2018, but the extension API itself still works in current Chrome and continues to be supported for extensions.
What it does
- Lets the extension register with the FCM service via
chrome.gcm.register(senderIds)and receive a registration token unique to that user/install. - The extension forwards the token to its own backend, which can then send push messages to the registration token via FCM's HTTP / HTTP v1 API.
- Chrome wakes the extension's service worker and dispatches the payload via
chrome.gcm.onMessage. - Messages are limited to 4 KB of payload data per message.
Modern Alternatives
For new extensions you have a few options. chrome.gcm is still the only built-in extension push channel; the alternatives below trade away true server push for simplicity:
chrome.gcm— best fit when you need real push (low-latency, server-initiated) without keeping a connection open.- WebSockets — the service worker can keep a connection open while it has work to do, but Chrome aggressively shuts down idle service workers, so long-lived sockets are awkward to maintain.
- Polling with
chrome.alarms— periodicfetchfrom achrome.alarmslistener. Simple, but not real-time.
When to use it
Use gcm for extensions that need timely server-initiated updates without holding a connection open.
Examples:
- A chat extension that surfaces a notification for new messages.
- A sync extension that needs to invalidate local caches when remote data changes.
- A monitoring extension that pushes alerts when a watched condition fires.
Manifest Declaration
{
"name": "My GCM Extension",
"version": "1.0",
"manifest_version": 3,
"permissions": [
"gcm",
"notifications"
],
"background": {
"service_worker": "background.js"
}
}Security & Privacy
Why is it low risk?
The permission only lets the extension receive messages from servers it has registered with. It doesn't expose user data to the server beyond whatever the extension explicitly sends; the registration token itself is opaque and tied to the user's specific Chrome install of this extension.
The risk is mostly indirect: an attacker who steals the registration token from your backend can spam the user with push notifications until the user removes the extension or you rotate the token.
API Usage Example
// background.js
// Register on install. Use your FCM project's sender ID.
chrome.runtime.onInstalled.addListener(() => {
chrome.gcm.register(['1234567890'], (registrationId) => {
if (chrome.runtime.lastError) {
console.error('GCM registration failed:', chrome.runtime.lastError.message);
return;
}
console.log('GCM registration ID:', registrationId);
// Send registrationId to your server so it can target this client.
});
});
// Receive incoming push messages.
chrome.gcm.onMessage.addListener((message) => {
console.log('Push message received:', message.data);
chrome.notifications.create({
type: 'basic',
iconUrl: 'icon.png',
title: 'New message',
message: message.data?.body ?? '(no body)'
});
});
// Optional: surface send errors (e.g., quota or auth issues).
chrome.gcm.onSendError.addListener((error) => {
console.error('GCM send error:', error);
});Extensions with the gcm permission
Here are some popular browser extensions that use the "gcm" permission. To explore more, try our Advanced search.
Chrome extensions with "gcm" permission
9M 3.44 
(1,603)
8M 3.31 (78)
7M 4.48 (182)
3M 2.94 (140)
2M 3.90 (638)
2M 3.00 (12)
1000K 4.65 (12,688)
1000K 4.11 (8,056)
1000K 4.52 (2,886)
1000K 3.20 (1,457)
Edge add-ons with "gcm" permission
6M 3.40 (11)
2M 3.70 (3)
429K 2.80 (59)
196K 4.50 (87)
125K 4.80 (52)
117K 2.20 (10)
84K 3.90 (14)
79K 4.30 (29)
33K 4.70 (13)
21K 4.50 (6)
Firefox add-ons with "gcm" permission
490 4.17 (54)
252 4.70 (10)
23 1.00 (1)
10 4.50 (4)
10 1.00 (1)
9 3.00 (2)
6 5.00 (1)
4 5.00 (1)
3 2.60 (5)
3 0.00 (0)