What the package does not declare
- No `content_scripts`.
- No `scripting` permission.
- No `tabs` permission.
- No `privacy` permission.
- No page-injection permission for ads or DOM modification.
Extension Permissions
Every Chrome permission, including all-sites host access
BusinessProxy uses Chrome proxy APIs to apply a managed browser path after sign-in. The extension does not declare content scripts, but it does request all-sites host access so Chrome can deliver proxy-authentication challenges for routed requests.
Chrome may show a broad all-sites warning. The reason is proxy authentication handling, not page-content injection.
| Manifest entry | Purpose | Limit |
|---|---|---|
proxy | Configure Chrome proxy settings while BusinessProxy is connected. | Applies to Chrome proxy configuration, not OS network settings. |
storage | Store minimal extension state and read Chrome Enterprise managed settings. | Does not store reusable proxy passwords. |
alarms | Run heartbeat, expiry and cleanup checks for the proxy session. | Background scheduling only. |
webRequest | Receive proxy-authentication challenge events for routed browser requests. | Used for proxy-auth events, not page DOM inspection. |
webRequestAuthProvider | Respond to proxy-auth challenges with short-lived session credentials. | Does not reuse account password. |
host_permissions: <all_urls> | Allows Chrome to deliver proxy-auth challenges for requests routed through the configured proxy, regardless of destination site. | Broad host permission; disclosed directly. No content scripts are declared. |
Why the broad host permission is necessary
Proxy authentication happens when Chrome routes a request through the configured proxy. Because a user may route any approved work site, Chrome needs to deliver auth challenges for arbitrary destination URLs. The extension answers those challenges with the current short-lived proxy session credentials. That is why the host permission is broad.
FAQ
Why does the extension request access to all sites?
Chrome requires the all-sites host permission so the extension can receive and answer proxy-authentication challenges for requests that Chrome routes through the configured proxy. The extension has no content scripts and does not inject into pages or modify page content.
Why not say "no broad host access"?
Because it would be inaccurate. The extension requests `<all_urls>` host permission. The accurate statement is narrower: no content scripts, no page injection, and all-sites host access only for proxy-auth challenge handling.