The latest articles on DEV Community by Rory (@rory_1af399b9b9528d47ab36). https://dev.to/rory_1af399b9b9528d47ab36 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4006858%2Fea92749b-2a83-4a0e-bc3f-af780945b801.png https://dev.to/rory_1af399b9b9528d47ab36 en Rory Sun, 28 Jun 2026 18:21:21 +0000 https://dev.to/rory_1af399b9b9528d47ab36/how-to-fix-the-purple-potassium-chrome-web-store-rejection-and-catch-it-before-you-submit-414b https://dev.to/rory_1af399b9b9528d47ab36/how-to-fix-the-purple-potassium-chrome-web-store-rejection-and-catch-it-before-you-submit-414b <p>You submitted your extension, waited days for review, and got back a rejection<br> with a violation called "Purple Potassium." Your extension looks fine to you, so<br> what does it even mean? Here is what it is, why it happens, and how to catch it<br> before you ever hit submit.</p> <h2> What "Purple Potassium" actually means </h2> <p>"Purple Potassium" is Google's internal tag for <strong>excessive or unused<br> permissions</strong>. Your manifest requests access to something your code does not<br> actually use, and the reviewer flags it. It is one of the most common reasons a<br> Chrome extension gets rejected, and it is frustrating precisely because the<br> extension works fine in testing. Review is checking something testing never does:<br> whether every permission you ask for is justified by your code.</p> <h2> The usual causes </h2> <p><strong>1. API permissions you declared but never call.</strong> You added <code>tabs</code>,<br> <code>bookmarks</code>, or <code>cookies</code> to your manifest at some point, but there is no<br> <code>chrome.bookmarks.*</code> call anywhere in your code.</p> <p><strong>2. Host access that is too broad.</strong> You requested <code>&lt;all_urls&gt;</code> when your<br> extension only touches one site:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="err">//</span><span class="w"> </span><span class="err">Flagged</span><span class="w"> </span><span class="nl">"host_permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"&lt;all_urls&gt;"</span><span class="p">]</span><span class="w"> </span><span class="err">//</span><span class="w"> </span><span class="err">Better</span><span class="w"> </span><span class="nl">"host_permissions"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">"https://*.example.com/*"</span><span class="p">]</span><span class="w"> </span></code></pre> </div> <ol> <li><p>Leftover permissions after removing a feature. You shipped a feature that<br> needed downloads, later removed the feature, and forgot to remove the<br> permission.</p></li> <li><p>The tabs misunderstanding. The tabs permission does not grant access<br> to the tabs API. Basic methods like chrome.tabs.create() work without it. It<br> only grants four sensitive Tab properties: url, pendingUrl, title, and<br> favIconUrl. If you declare tabs but never read those, it counts as unused.</p></li> </ol> <p>How to fix it by hand</p> <ol> <li>List everything in permissions, optional_permissions, and host_permissions.</li> <li>For each one, search your code for the matching chrome. call.</li> <li>Remove any permission with no usage.</li> <li>Narrow and other broad patterns to the specific hosts you need.</li> <li>In your reviewer notes, write one plain sentence per sensitive permission explaining why you need it. Reviewers often lack context, and this prevents a lot of back and forth.</li> </ol> <p>This works, but it is tedious and easy to get wrong, especially the tabs and<br> host-permission rules.</p> <p>The faster way: lint it before you submit</p> <p>I built a small CLI that does this check automatically. Point it at your unpacked<br> extension directory:</p> <p>npx tabsmith-lint ./my-extension</p> <p>It statically reads your code, builds an inventory of which chrome.* APIs you<br> actually call, and compares that to what your manifest declares. Then it reports<br> the likely rejection causes with the matching violation IDs, for example:</p> <p>[fix] PERM001 Permission "bookmarks" appears unused (Purple Potassium)<br> manifest.json:8<br> No chrome.bookmarks/browser.bookmarks usage found.<br> Fix: remove "bookmarks" unless it is required by code not in this package.</p> <p>It also flags broad host access, remote code, and missing or wrong-case file<br> references. You get a pass / needs fixes / high rejection risk verdict and<br> exit codes, so you can run it in CI.</p> <p>One important caveat</p> <p>This is static analysis, not magic. A linter that tells you to remove a<br> permission you actually use is worse than no linter, so the unused-permission<br> rule is deliberately conservative: it ships as a warning, not a hard error, and<br> it lowers its confidence when it sees dynamic access like chrome[name]. It is<br> also honest about its limits. Deeply bundled extensions can still hide usage from<br> it, which is documented.</p> <p>If you want to verify the accuracy yourself rather than take my word for it, the<br> project ships an open benchmark of hand-labeled real extensions and a scorer you<br> can run with npm run score.</p> <p>Bottom line</p> <p>The Purple Potassium rejection comes down to one rule: request the narrowest<br> permissions your code actually uses, and nothing more. Audit your manifest<br> against your code before every submission. Doing it by hand works; running a<br> linter is faster and catches the cases that are easy to miss.</p> <p>Tool is MIT and open source: <a href="https://github.com/rsub122/tabsmith-lint" rel="noopener noreferrer">https://github.com/rsub122/tabsmith-lint</a></p> webdev javascript extensions node