ExtensionAudit.ai

Knowledge Base

Comprehensive Chrome Web Store policy reference. Search by error code, category, severity, or keyword.

Loading policies...

Manifest Version Check

Critical Manifest manifest_version

Extensions must declare manifest_version: 3 for MV3 compliance. Manifest V2 extensions are no longer accepted by the Chrome Web Store.

Rule ID

manifest_version

💡 How to Fix

Update your manifest.json to include "manifest_version": 3 and migrate your extension from MV2 to MV3. This may require updating background scripts to service workers and adjusting permission declarations.

Missing Required Fields

Medium Manifest missing_fields

Manifest must include required fields: name and version. These are mandatory for all Chrome extensions.

Rule ID

missing_fields

💡 How to Fix

Add the missing fields to your manifest.json. Example: {"name": "My Extension", "version": "1.0.0"}

Remote Code Execution

Critical Security remote_eval_new

Extensions cannot execute remote code or use eval(), new Function(), or similar dynamic code execution. MV3 strictly prohibits remote scripts and dynamic code evaluation for security reasons.

Rule ID

remote_eval_new

💡 How to Fix

Remove all eval() calls, new Function() usage, and remote script loading. Bundle all code within your extension package. Use static functions and logic instead of dynamic code generation.

Excessive Permissions

High Permissions permissions

Extensions should only request permissions that are necessary for functionality. Excessive or unused permissions can lead to rejection. Sensitive permissions like tabs, history, or <all_urls> require strong justification.

Rule ID

permissions

💡 How to Fix

Request only the narrowest permissions necessary. Remove unused permissions from manifest.json. Use optional permissions for features that aren't core to your extension. Document why each permission is needed in your store listing.

Privacy Policy

High Privacy privacy

Extensions that collect user data must provide a privacy policy. This includes any data collection, storage, or transmission. The policy must be accessible via HTTPS and clearly describe what data is collected and how it's used.

Rule ID

privacy

Policy Reference

Chrome Web Store - User Data

💡 How to Fix

Create a privacy policy that describes what data you collect, how it's used, and how it's stored. Host it on an HTTPS URL and add the link to your Chrome Web Store listing. If you don't collect data, you may still need a policy stating that.

Code Obfuscation

High Code Quality obfuscation

Extensions must maintain code readability. Excessive obfuscation is not allowed. While minification is acceptable, deliberate obfuscation that makes code unreadable violates Chrome Web Store policies.

Rule ID

obfuscation

💡 How to Fix

Avoid obfuscators that generate _0x-prefixed variables or extremely long lines. Use standard minification tools that preserve code structure. Provide a non-obfuscated debug version if requested.

Insecure HTTP Calls

High Security http_calls

All network requests must use HTTPS. HTTP URLs are not allowed for security reasons. All data transmission must be encrypted.

Rule ID

http_calls

Policy Reference

Chrome Web Store - User Data

💡 How to Fix

Replace all http:// URLs with https://. Ensure all network requests, API calls, and resource loading use secure protocols.

Content Security Policy

Medium Security csp_strictness

Extensions should implement strict Content Security Policies. Avoid unsafe-inline and unsafe-eval directives which weaken security.

Rule ID

csp_strictness

Policy Reference

Chrome Web Store - CSP

💡 How to Fix

Remove unsafe-inline and unsafe-eval from your CSP. Use nonces or hashes for inline scripts. Move inline event handlers to external JavaScript files.

Dynamic Script Injection

High Security dynamic_script

MV3 forbids dynamic loading of remote code via createElement('script') or document.write. All scripts must be bundled in the extension package.

Rule ID

dynamic_script

💡 How to Fix

Remove dynamic script injection. Bundle all scripts within your extension and avoid document.write for scripts. Use static script tags in HTML files.

Telemetry and Tracking

Medium Privacy telemetry

Telemetry and tracking must be disclosed in privacy policy and allow user opt-out. Common tracking services include Google Analytics, Mixpanel, Segment, and others.

Rule ID

telemetry

Policy Reference

Chrome Web Store - User Data

💡 How to Fix

Disclose analytics usage clearly in your privacy policy. Provide users with an opt-out mechanism. Consider using privacy-friendly analytics or making tracking optional.

Third-Party Libraries

Medium Security third_party_libs

Third-party libraries should be kept up to date and free of known vulnerabilities. Outdated libraries with CVEs pose security risks.

Rule ID

third_party_libs

💡 How to Fix

Update libraries to the latest secure versions. Remove unused or vulnerable libraries. Regularly audit dependencies for known CVEs using tools like npm audit or similar.

Metadata Completeness

Medium Metadata metadata

Extensions must provide enough information in description and metadata for users to understand functionality. Missing icons or descriptions reduce listing quality.

Rule ID

metadata

💡 How to Fix

Add a meaningful description (30+ characters) and icons of sizes 16, 32, 48, and 128 pixels to your manifest. Ensure the description accurately reflects your extension's functionality.

Prohibited Content

Critical Content prohibited

Detect content that violates Chrome Web Store policies (gambling, porn, hate, violence). Such content is strictly prohibited and will result in immediate rejection.

Rule ID

prohibited

⚠️ Critical Issue

Remove all prohibited content immediately. The Chrome Web Store bans gambling, pornography, violent or hateful material. Extensions containing such content will be rejected.

Packaging Errors

Medium Packaging packaging

Files referenced in manifest must exist in the package. Missing files will cause the extension to fail at runtime.

Rule ID

packaging

💡 How to Fix

Include all files referenced in your manifest (service_worker, content_scripts, popup files, icons, etc.) in your extension package. Verify file paths match exactly.

Minimum Functionality

Low Functionality minimum

Extensions must provide some functionality and include JavaScript files. Empty or non-functional extensions will be rejected.

Rule ID

minimum

💡 How to Fix

Ensure your extension includes functional code (JavaScript files) and provides a clear benefit to users. Avoid placeholder or empty extensions.

Manifest Cross Consistency

Medium Manifest manifest_consistency

Validates content_scripts patterns, service worker usage, popup files and icon coverage. Ensures manifest structure is correct for MV3.

Rule ID

manifest_consistency

💡 How to Fix

Ensure content_scripts match patterns start with valid schemes (http, https, file, *). Verify service_worker file exists. Remove deprecated scripts property when using service_worker. Include recommended icon sizes (16, 32, 48, 128).

Missing Permissions

Medium Permissions api_missing_permissions

Chrome APIs used without corresponding manifest permissions. This will cause runtime errors when the extension tries to use these APIs.

Rule ID

api_missing_permissions

💡 How to Fix

Declare the corresponding permissions in manifest.json for each Chrome API you use (e.g., chrome.tabs requires 'tabs' permission). Remove API calls if permissions are not needed.

Security Hardening

Medium Security security_hardening

Check CSP presence, unsafe directives, and innerHTML usage in HTML/JS files. Security hardening helps protect against XSS attacks.

Rule ID

security_hardening

Policy Reference

Chrome Web Store - Security

💡 How to Fix

Add CSP meta tags to HTML files. Remove unsafe-inline and unsafe-eval directives. Sanitize inputs when using innerHTML. Use nonces or hashes for inline scripts.

Debug/Test Artifacts

Low Code Quality debug_artifacts

Detect console logs, localhost, TODO, .map files and other debug code. These should be removed before publishing to production.

Rule ID

debug_artifacts

💡 How to Fix

Remove console.log statements, debug code, localhost references, TODO markers, and .map files before publishing. Use build tools to strip debug code in production builds.

Description vs Reality

Medium Metadata description_mismatch

Compare manifest description against permissions and API usage for potential misrepresentation. Deceptive descriptions violate Chrome Web Store policies.

Rule ID

description_mismatch

💡 How to Fix

Ensure your description accurately reflects functionality and permissions used. If description claims simplicity but requests sensitive permissions, either update the description or remove unnecessary permissions.

URL Overrides

Medium Functionality overrides

Warn if extension overrides Chrome new tab or search settings. These overrides must provide clear value and not mislead users.

Rule ID

overrides

💡 How to Fix

Ensure overrides provide clear value to users and do not mislead or hijack search providers. Be transparent about what your extension does when overriding Chrome settings.

Nested Archives

Medium Packaging nested_archives

Detect zip or crx files packaged inside the extension. Nested archives are not allowed and should be extracted.

Rule ID

nested_archives

💡 How to Fix

Remove embedded archives or extract their contents into the extension package. All files should be directly accessible, not nested in archives.

Headless Smoke Test

Medium Testing smoke_test

Scan for console.error statements as a proxy for runtime errors. Helps identify potential issues before submission.

Rule ID

smoke_test

💡 How to Fix

Review the logged errors and handle exceptions gracefully. Consider running your extension in headless mode during CI to catch runtime issues early.

Third-Party Library Risk

Medium Security library_cve

Identify outdated third-party libraries with known vulnerabilities. Outdated libraries pose security risks to users.

Rule ID

library_cve

💡 How to Fix

Update the listed libraries to the latest secure versions or remove them if not needed. Regularly check for security advisories and CVEs in your dependencies.

Metadata Quality Score

Low Metadata metadata_quality

Calculate a score for name, description and icon completeness. Higher quality metadata improves store listing and user trust.

Rule ID

metadata_quality

💡 How to Fix

Provide a descriptive name (5+ characters), a meaningful description (30+ characters), and a set of high-resolution icons (16, 32, 48, 128). Avoid generic placeholder values.

Affiliate Tracking

Medium Privacy affiliate

Detect UTM, affiliate or referral parameters in code. Disclosure is required for affiliate relationships.

Rule ID

affiliate

💡 How to Fix

Clearly disclose affiliate relationships in your listing and obtain user consent before tracking. Be transparent about any referral or affiliate programs.

Runtime Simulation

Coming Soon Testing runtime_simulation

Available for Enterprise Plans: Runtime simulation launches a headless Chrome instance with your extension installed to analyze console errors, network requests, storage usage, and permission prompts. This feature is available for Enterprise customers.

Rule ID

runtime_simulation

🚀 Coming Soon

Runtime simulation and sandbox testing are available for Enterprise plans. This includes headless browser testing, malware detection, and CRX binary analysis. Contact us to learn more about Enterprise features.

Frequently Asked Questions

Find answers to common questions about ExtensionAudit.ai

Getting Started

What is ExtensionAudit.ai?

ExtensionAudit.ai is a comprehensive compliance scanner for Chrome extensions. It analyzes your extension against Chrome Web Store policies to help you identify and fix issues before submission. Our scanner checks for manifest compliance, security issues, privacy violations, code quality, and more.

How do I get started?

Getting started is easy:

  1. Sign up for a free account
  2. Upload your extension (.zip or .crx file)
  3. Select a scan profile (Dev, Store, or Enterprise)
  4. Review your compliance report
  5. Fix issues using the provided guidance

What file formats do you support?

We support .zip archives and .crx files. You can also upload an unpacked extension directory. The scanner will automatically extract and analyze all files in your extension package.

Scan Profiles

What are the different scan profiles?

Dev (Lenient) - Free Plan

Only shows high and critical severity issues. Perfect for early development when you want to focus on major problems without noise from minor findings. Ideal for iterative development.

Store (Strict) - Pro Plan

Full Chrome Web Store policy compliance check using the complete rule set across all categories (permissions, remote code, privacy, metadata, obfuscation, content, etc.) with standard severity weightings. Recommended before submission.

Enterprise (Paranoid) - Pro Plan

Maximum security checks with elevated severity for telemetry, third-party libraries, and security hardening. Includes additional enterprise-only checks like CSP strictness, debug artifact detection, and affiliate disclosure. Best for sensitive or internal extensions.

Which profile should I use?

Choose based on your stage:

  • Dev: Early development, quick iterations
  • Store: Before Chrome Web Store submission
  • Enterprise: Internal tools, high-security requirements

Privacy & Security

Is my code stored or shared?

No. Your source code is never stored or shared.

Your source code is processed temporarily during scanning and immediately deleted. We only store report summaries (scores, issue counts, timestamps) for your account history. Your code never leaves our secure environment and is never shared with third parties.

How secure is the scanning process?

All scanning happens in isolated, temporary environments. Files are processed in secure containers that are destroyed immediately after analysis. Communication is encrypted using HTTPS, and we follow industry best practices for data security.

What data do you collect?

We collect minimal data:

  • Email address (for account management)
  • Report summaries (scores, issue counts, timestamps)
  • Usage analytics (via Firebase Analytics)

We do NOT collect or store your source code, file contents, or any sensitive extension data.

Plans & Pricing

What's included in the Free plan?

The Free plan includes:

  • 25 Dev profile scans per month (includes 7-day free trial with unlimited scans)
  • Basic compliance checking
  • Issue reports with fixes

Store profile requires a Pro subscription. Enterprise profile is available only with Enterprise plans.

What's included in the Pro plan ($39.99/month)?

Pro plan includes everything in Free, plus:

  • Unlimited scans per month
  • Access to all scan profiles (Dev, Store, Enterprise)
  • Saved report history
  • Report exports (PNG, PDF, CSV, JSON)
  • Advanced compliance analysis
  • Third-party library risk scoring
  • Telemetry detection
  • CSP analysis
  • Metadata quality checks
  • Obfuscation & Permissions Inference
  • CLI local scanning (Coming Soon)

Can I cancel my subscription?

Yes, you can cancel your Pro subscription at any time. Your subscription will remain active until the end of your current billing period, and you'll retain access to all Pro features until then.

Using Reports

How do I fix issues found in my scan?

Each issue in your report includes:

  • Description: What the issue is
  • Severity: Critical, High, Medium, or Low
  • Suggested Fix: Step-by-step remediation guidance
  • Code Locations: Where the issue appears in your code
  • Policy Links: Official Chrome Web Store documentation

Use the Knowledge Base above to search for detailed information about specific error codes.

What do the severity levels mean?

Critical: Must fix before submission (e.g., Manifest V3 violations, remote code)

High: Should fix for best practices (e.g., excessive permissions, privacy issues)

Medium: Recommended to fix (e.g., metadata quality, CSP strictness)

Low: Nice to fix (e.g., debug artifacts, minor metadata issues)

Can I export my reports?

Yes! Pro plan users can export reports in multiple formats:

  • PNG - Visual report images for sharing
  • PDF - Printable report documents
  • CSV - Spreadsheet format for issue tracking and analysis
  • JSON - Machine-readable format for CI/CD integration

Report summaries are also saved in your account history for easy access. Export functionality is available from the report detail page.

How long are reports stored?

Report summaries are stored in your account for as long as your account is active. Full report details are available for 30 days after scanning. Pro plan users have extended storage for report history.

Technical Questions

What Chrome Web Store policies do you check?

We perform comprehensive static analysis using 28+ specialized policy rule engines that check against ALL major Chrome Web Store policy categories. See the policy list above for complete details.

Each check includes: specific file locations, line numbers, severity ratings, actionable fix guidance, and links to official Chrome Web Store policy documentation.

How accurate and comprehensive are the scan results?

ExtensionAudit.ai performs comprehensive static analysis using 28+ specialized policy rule engines that check against all major Chrome Web Store policy categories.

Our scanner analyzes:

  • Manifest Compliance: MV3 validation, required fields, cross-consistency checks, service worker validation
  • Security: Remote code detection, dynamic script injection, CSP strictness, security hardening
  • Permissions: Excessive/unused permissions, missing API permissions, sensitive permission auditing
  • Privacy: Privacy policy requirements, telemetry/tracking detection, affiliate disclosure
  • Code Quality: Obfuscation detection, code readability, debug artifacts
  • Third-Party Libraries: CVE vulnerability scanning, outdated library detection, risk assessment
  • Metadata: Completeness checks, quality scoring, description vs reality validation
  • Content: Prohibited content detection, HTTP vs HTTPS validation
  • Packaging: Missing files, nested archives, CRX integrity checks
  • Testing: Smoke test analysis (runtime simulation coming soon for Enterprise)

The scanner uses advanced pattern matching, regex analysis, semantic version comparison, and policy rule engines to provide highly accurate results. Each issue includes specific file locations, line numbers, severity ratings, and actionable fix guidance with links to official Chrome Web Store policy documentation.

Note: The scanner performs static analysis only (it doesn't execute your extension in a browser). Some runtime behaviors may require manual testing, but the scanner catches 95%+ of compliance issues before submission.

Can I use this in CI/CD pipelines?

Yes! Our CLI tool (coming soon) is designed for CI/CD integration. You can run scans as part of your build process to catch compliance issues before deployment. The scanner returns exit codes that can be used to fail builds if critical issues are found.

Support

What if I need help?

We're here to help! You can:

  • Search by error code in the Knowledge Base above
  • Browse the policy reference above for detailed information
  • Contact us at Support@ExtensionAudit.ui

Do you offer enterprise support?

Yes! Enterprise customers receive priority support, custom scanning profiles, and dedicated account management. Contact us at Support@ExtensionAudit.ui for more information.

Still have questions?

Can't find what you're looking for? We're here to help!

Contact Support Email Support

Need Help?

Can't find what you're looking for? Our support team is here to help!

Contact Support