
Google has announced a significant change in how Chrome extensions gain permission to use the User Scripts API, which allows injecting custom JavaScript code on web pages. This will be the first permission that users need to enable individually for each extension.
With Chrome 138, users will have to individually enable a switch called “Allow User Scripts” for each extension that uses the chrome.userScripts API.
This new toggle will be accessible on the extension details page from Chrome 138 (choosing “Manage Extensions,” chrome://extensions/?id=). It will have to be enabled for each individual extension.
The User Scripts is a powerful API, introduced as part of Manifest V3, that allows dynamically injecting, running, and updating scripts on web pages, altering their appearance or behavior. This API is used by user script managers like Tampermonkey, browser automation tools, accessibility extensions, ad blockers, privacy tools, developer tools, and others.

Google explains that previously, enabling user scripts required turning on the global Developer Mode toggle within Chrome. This led to many security issues.
“Once developer mode was enabled, new extensions that requested the userScripts permission automatically gained the ability to run user scripts, potentially without explicit user consent or awareness of the risks associated with each new extension,” Google said in a blog post.
The change provides “more granular control and reduces potential security risks.”
The Developer Mode controls several other developer-oriented permissions, and many enterprises prefer not to enable it on managed devices. This effectively prevents them from deploying or using extensions that rely on this API.
“On the first launch of 138 and newer, a one-time migration will automatically enable the new toggle for existing extensions that have been granted the userScripts permission if the Developer Mode toggle is enabled,” Google explains.
“All new extensions installed after the migration will default to the Allow User Scripts toggle being set to off.”
Currently, Chrome extensions request multiple permissions simultaneously upon installation, which can lead to situations in which extensions often obtain excessive permissions.
Cybercriminals often abuse extensions and their extensive permissions to spy on users, steal their sensitive data, and other malicious activities. DomainTools recently discovered 100 fake malicious Chrome extensions with dual functionalities, and previously secret tracking code has been discovered in dozens of other Chrome extensions.
Your email address will not be published. Required fields are markedmarked