The Chrome Web Store rejects extensions with a Purple Potassium tag, which creates confusion for developers because their extension appears safe. The code clearly shows that your extension asks for permissions which exceed what it requires to operate.
Permissions function as a powerful tool. The extension's access permissions determine which resources it can reach, including user tabs, and browsing history, as well as protected storage and data. The Chrome review team identifies security and privacy threats when a manifest.json file contains more permissions than needed or contains unnecessary permissions.
Note: ‘Purple Potassium’ is an internal term used in Chrome’s review process to indicate metadata or listing quality issues — not a public rejection label.
The rejection carries specific reasons which we will analyse to determine its causes. We will discover solutions that do not require extension rewriting.
*Definition of Purple Potassium *
Chrome Web Store uses Purple Potassium to indicate permissions that are excessive, not utilized, or unnecessary within your manifest.json file.
These could involve needing or requesting access to a feature that isn't part of your extension's core functionality, requesting an API that isn't required, or having host permissions that are overly broad (like ).
The Chrome Review process uses the principle of least privilege it applies both to declared permissions in manifest.json and runtime requests via chrome.permissions.request(), so your extension should only request what is needed to function.
Common Causes of a Purple Potassium Rejection
If you have been hit by code Purple Potassium, here are the most common culprits:
Overly broad host access: Using when you only need one or two domains is an example of overly broad host access.
Unused APIs: Including tabs, bookmarks, or cookies in your manifest but never using them in your code.
Outdated permissions: Some features may be removed or updated, but missing to update the permission. In this case, old permissions remain even though they are no longer needed.
Lack of context: Reviewers often don’t have complete background information, so they might not understand why certain sensitive permissions, like access to history or downloads, are being requested.
Generic templates: Developers sometimes re-use code from older projects, which can include unneeded default permissions that are carried over without review.
*How to Fix It *
A clear way to remove unnecessary items from your manifest and pass the review:
Check the Permissions You Granted: Make sure your code's actual usage matches the permissions you've granted and the host permissions. Remove any that are not actively in use.
Reduce Your Scope: When you ask for permission, only request the smallest necessary permissions. Use specific host URLs instead of a general one. Use optional permissions to request access from the user only when it's needed. Optional Permissions can be requested dynamically using chrome.permissions.request() and revoked using chrome.permissions.remove().
Justify Sensitive Permissions: When you ask for access to things like downloads, browsing history, or storage, make sure you clearly explain the reason in your Developer Dashboard notes or privacy policy. Being transparent helps reviewers understand your reasons and shows that you’re acting responsibly with user data.
Note: privacy policies are mandatory if any permission grants access to user data (like history, cookies, or downloads).
Remove Old Code: There may still be old or experimental features calling unused APIs in your code. You should always delete any outdated code before packaging.
Test Your Build: After making your changes and packaging the extension, verify that all expected features are still functioning. Test in normal and incognito windows and observe expected behaviour.
*Best Practices for Permission Hygiene *
Begin with smaller requests for permissions.
For non-essential features, utilize optional permissions.
Don't add permissions "Just in case".
Keep a brief README or internal note to denote the reason for each permission.
Review and edit your manifest every time you submit.
Note: permissions declared but only commented out in the code still count as requested — Chrome checks the manifest, not code comments.
*The checklist before you resubmit *
Prior to hitting that “Submit for Review” button, take a quick look at this QA list:
Eliminate the permissions that are not in use or are irrelevant.
Change the access to hosts in general with the URLs that are specific.
Provide reasons for accessing sensitive data in the developer notes.
Monitor the extension’s behaviour after the cleanup.
Also check for any console errors or features that are not working properly.
A simple 10-minute review like this can prevent days of rejection loops.
*Conclusion *
Purple Potassium rejections serve as reminders for all developers to respect user data boundaries. When your extension requests only what it truly needs, you will speed up the review process as well as earn user trust and build a reputation
Don't let permission overuse slow down your approval.
Use Coditude's professional Chrome Extension QA checklist to find unused permissions, verify your manifest, and simplify your next submission.
Stay compliant, stay approved and keep your extension lightweight, secure, and easy to use.
Top comments (0)