Browser Extension Permission Diff

Compare two extension manifests and surface the risky permission changes

Diffing runs entirely in your browser. The manifest text, extension IDs, host patterns, and permission names are not uploaded, logged, or stored. This is a heuristic review aid, not a full security audit.

Paste the old and new extension manifests above and select Build permission diff to compare their permissions.

About the browser extension permission diff

The browser extension permission diff turns two pasted manifests, the current version and the proposed update, into a quick read on what access is changing before you approve a rollout. Paste both manifests, select build permission diff, and the tool lists every API permission and host match pattern that was added, removed, or left unchanged, each with a risk level and a short review note. It then gives you a markdown approval note for your change ticket and a CSV of the diff for a review log.

The point is to make a risky update easy to spot. A new broad host pattern such as all sites, a newly requested scripting, cookies, webRequest, or nativeMessaging permission, or any added access that widens what an installed extension can read is flagged high so it does not slip through a version bump. The parse runs entirely in your browser. The manifest text, extension IDs, host patterns, and permission names are not uploaded, logged, or stored, which matters because a manifest can reveal internal SaaS domains and your browser policy posture. This is a review aid, not a policy engine, so read the full manifest before you approve the update.

How to use

  1. Copy the manifest.json from the extension version you currently allow.
  2. Copy the manifest.json from the proposed update you are reviewing.
  3. Paste the current manifest on the left and the proposed manifest on the right. Two sample Manifest V3 manifests are loaded so you can see the format the tool expects.
  4. Select build permission diff to see the added, removed, and unchanged permissions, the added-permission risk counts, and a per-permission table.
  5. Review the high-risk added rows first. These cover new broad host access and newly requested sensitive API permissions.
  6. Copy the approval note into your change ticket or download the CSV for your review log, then read the full manifest before you approve the update.

Worked examples

A host permission that widens to all sites

When the new manifest replaces a specific domain with a broad pattern such as <all_urls> or *://*/*, the added host row is flagged high risk because the update can now read and change every site.

A newly requested scripting or cookies permission

An API permission that the old version did not request, such as scripting, cookies, webRequest, or nativeMessaging, is flagged high risk so the new capability is reviewed before approval.

A storage permission present in both versions

A permission that is unchanged between the two manifests is listed as unchanged at low risk so your attention stays on the grants the update adds.

Frequently asked questions

Which manifests does it read?
Chrome and Edge extension manifest.json in Manifest V3 and Manifest V2 form. Manifest V3 keeps host match patterns in host_permissions and optional_host_permissions; Manifest V2 mixes them into permissions. The tool separates API permissions from host patterns for both. Firefox and Safari manifest dialects are a planned follow-up.
How does it decide the risk level?
It uses deterministic heuristics. A host pattern whose host is a wildcard, such as <all_urls> or *://*/*, is high risk. A host pattern scoped to a specific domain is medium. Sensitive API permissions such as tabs, scripting, webRequest, declarativeNetRequest, debugger, nativeMessaging, proxy, management, cookies, privacy, history, downloads, and clipboardRead are high risk. Other API permissions are low.
Is my manifest uploaded anywhere?
No. The diff runs entirely in your browser. The manifest text, extension IDs, host patterns, and permission names are never uploaded, logged, or stored, and they are not included in any analytics. Only coarse, anonymous count bands are recorded so we can tell how often the tool is used.
Does it resolve what a permission can actually do at runtime?
No. It compares the declared permissions and host patterns between two manifests and ranks the changes by a fixed risk heuristic. It does not run the extension, inspect its code, or resolve effective access. Use it to triage an update, not to certify it.
Does this replace an extension security review?
No. It is a fast triage aid that surfaces the permission changes most likely to widen access. It does not read the extension code, check the publisher, or enforce policy. Always read the full manifest and keep using your extension management and review process.
Is the browser extension permission diff free?
Yes. It is free to use and does not require an account.

Use this again tomorrow

Save this page so it's one tap away when you need a quick result.

Bookmark this tool

Take a 2-minute brain break.

Play Daily Challenge on sts.games

Related tools

Try another quick utility while you are here.

Agent Telemetry Coverage Card

Find missing audit fields in agent telemetry.

CSV Formula Injection Guard

Flag CSV cells a spreadsheet would run as a formula.

More tools

Browse the rest of the toolkit.