Type Array
Mandatory No
Manifest version 3 or higher
"host_permissions": [

Use the host_permissions key to request access for the APIs in your extension that read or modify host data, such as cookies, webRequest, and tabs. This key is an array of strings, and each string is a request for a permission.

If you request permissions using this key, the browser may prompt the user to grant the extension access to this host data at install time. Whether the user is prompted or not, the browser allows the user to control the extension's host permissions after installation: grant or revoke them as needed.

As the request to grant host permissions may impact users' willingness to install your extension, requesting host permissions is worth careful consideration. For example, you want to avoid requesting unnecessary host permissions and may want to provide information about why you are requesting host permissions in your extension's store description. The article Request the right permissions provides more information on the issues you should consider.

For information on how to test and preview permission requests, see Test permission requests on the Extension Workshop site.

Host permissions are specified as match patterns, and each pattern identifies a group of URLs for which the extension is requesting extra privileges. For example, a host permission could be "*://*".

The extra privileges include:

  • XMLHttpRequest and fetch access to those origins without cross-origin restrictions (though not for requests from content scripts, as was the case in Manifest V2).
  • the ability to read tab-specific metadata without the "tabs" permission, such as the url, title, and favIconUrl properties of tabs.Tab objects.
  • the ability to inject scripts programmatically (using tabs.executeScript()) into pages served from those origins.
  • the ability to receive events from the webrequest API for these hosts.
  • the ability to access cookies for that host using the cookies API, as long as the "cookies" API permission is also included.
  • bypassing tracking protection for extension pages where a host is specified as a full domain or with wildcards.

In Firefox extensions get host permissions for their origin, which is of the form:


where 60a20a9b-1ad4-af49-9b6c-c64c98c37920 is the extension's internal ID. The extension can get this URL programmatically by calling extension.getURL():

// moz-extension://60a20a9b-1ad4-af49-9b6c-c64c98c37920/


 "host_permissions": ["*://*"]

Request privileged access to pages under

Browser compatibility

BCD tables only load in the browser