The scripting permission is new in Manifest V3 and provides a dedicated API for executing scripts and inserting CSS into websites.
What it does
- Execute Script: Run a function or script file in a target tab via
chrome.scripting.executeScript. This is the Manifest V3 replacement forchrome.tabs.executeScript. - Insert / Remove CSS: Inject or remove stylesheets via
chrome.scripting.insertCSS/removeCSS. Replaceschrome.tabs.insertCSS. - Register Content Scripts: Dynamically add, update, or remove content scripts at runtime via
registerContentScripts,updateContentScripts,unregisterContentScripts, andgetRegisteredContentScripts. - Choose execution world: Pass
world: 'MAIN'to run a script in the page's main world (sharing globals with the page) orworld: 'ISOLATED'(default — the extension's isolated world).
When to use it
This permission is essential for nearly any extension that needs to modify or read the content of web pages.
Examples:
- A password manager that injects a script to fill login forms.
- A "dark mode" extension that inserts a custom stylesheet.
- A web-clipping tool that executes a script to extract selected content.
- An ad-blocker that dynamically registers scripts to block certain resources.
Manifest Declaration
The scripting permission requires host permissions for the sites where you want to run scripts. You can get these permissions by either requesting them upfront in host_permissions or temporarily by using the activeTab permission.
{
"name": "My Scripting Extension",
"version": "1.0",
"manifest_version": 3,
"permissions": [
"scripting"
],
"host_permissions": [
"https://*.example.com/*"
],
"action": {}
}Security & Privacy
Why is it risky?
This permission allows an extension to run its own code on the websites you visit. It is one of the most common and powerful permissions. An extension with this ability can essentially do anything you can do on a webpage.
A malicious extension could use this to:
- Steal your passwords and credit card numbers as you type them.
- Read your private information, like emails or bank balances.
- Insert ads or malware into pages you visit.
- Change the content of websites to trick you.
When an extension asks for this permission for "all websites", it is asking for a huge amount of trust. The safest extensions use the activeTab permission instead, which only grants this power for the current page when you click the extension's icon.
API Usage Example
This example injects a script to change the background color of example.com pages.
// background.js
// This listener fires when the user navigates to a new page
chrome.tabs.onUpdated.addListener((tabId, changeInfo, tab) => {
// Check if the tab has finished loading and the URL matches
if (changeInfo.status === 'complete' && tab.url && tab.url.includes('example.com')) {
chrome.scripting.executeScript({
target: { tabId: tabId },
func: changeBackgroundColor, // The function to execute
args: ['#f0f8ff'] // Arguments to pass to the function
}).then(() => {
console.log("Injected a background color change script.");
}).catch(err => console.error(err));
}
});
// This function will be executed in the context of the web page
function changeBackgroundColor(color) {
document.body.style.backgroundColor = color;
}Extensions with the scripting permission
Here are some popular browser extensions that use the "scripting" permission. To explore more, try our Advanced search.
Chrome extensions with "scripting" permission
322M 4.40 
(61,731)
147M 4.59 (15,353)
65M 2.77 (1,309)
61M 4.47 (290,343)
38M 4.39 (187,964)
37M 4.50 (43,094)
32M 4.24 (44,773)
20M 4.02 (3,627)
19M 3.86 (1,978)
18M 4.53 (5,548)
Edge add-ons with "scripting" permission
23M 4.30 (3)
23M 3.40 (1,243)
14M 4.00 (12)
13M 4.80 (5,105)
12M 3.90 (1,161)
9M 2.30 (170)
9M 3.00 (2)
8M 3.60 (1,557)
7M 4.20 (934)
6M 3.40 (37)
Firefox add-ons with "scripting" permission
2M 4.30 (41,905)
1M 4.42 (5,598)
747K 4.81 (3,143)
487K 4.56 (981)
452K 4.19 (920)
432K 4.61 (1,805)
398K 3.65 (8,936)
383K 4.58 (5,002)
370K 3.82 (1,786)
362K 4.12 (19,599)