For the complete documentation index, see llms.txt. Prefer markdown by appending .md to documentation URLs or sending Accept: text/markdown.

Permissions

Request the smallest set of permissions and host access your extension needs. Broad grants hurt security and slow store review.

Every permission expands what a compromised or malicious build can do. TurboStarter starts from what session sharing needs - then you add only what your features require.

Default needs for auth

Shared web session typically requires:

wxt.config.ts
export default defineConfig({
  manifest: {
    permissions: ["cookies"],
    host_permissions: ["http://localhost/*", "https://your-app-url.com/*"],
  },
});
  • cookies - read the Better Auth session cookie for your app domain
  • host_permissions - only your app origins (local + production)

See Session for the full cookie setup.

Least privilege rules

  1. Prefer a specific permission over a powerful one
  2. Prefer exact host patterns over wildcards
  3. Document each permission in your store listing privacy / justification text
  4. Remove permissions when a feature ships without them
PermissionTypical useCaution
cookiesShared web sessionLimit hosts via host_permissions
storageTheme / prefs via WXT storageDo not store long-lived secrets
tabs / activeTabKnow the current tabPrefer activeTab when possible
scriptingInject scripts on demandPair with tight matches

Avoid <all_urls>

Avoid "<all_urls>"

Do not use <all_urls> in host_permissions or content-script matches unless you truly need it. It raises the blast radius and often triggers longer Chrome Web Store review (or rejection).

Use patterns scoped to your product:

host_permissions: ["https://app.example.com/*"];

Adding permissions

Override manifest fields in wxt.config.ts when a feature needs more access. Keep the change in the same PR as the feature, and update the store privacy disclosure at the same time.

How is this guide?

Last updated on

On this page

Ship your startup everywhere. In minutes.Try TurboStarter