The `tabs` permission explained: what browser extensions can really see in your open tabs
The tabs permission lets Chrome extensions log every URL you visit in real time — no history permission needed. Here's what it does and how to audit yours.
You installed a coupon-finding extension six months ago. It saved you $4 on a coffee machine. Since then, it's been watching every tab you open — your bank, your doctor's appointment portal, that job listing you keep going back to. And it did all of this without ever asking for your browsing history.
That's the tabs permission. It's one of the most quietly powerful things a Chrome extension can request, and most people scroll right past it during installation.
What the tabs permission actually means
When an extension asks for the tabs permission, it's requesting access to chrome.tabs.query() — a Chrome API that returns metadata about every open tab in your browser. According to the Chrome developer docs, without this permission, fields like url, title, and favIconUrl come back as empty strings. With it, they return the real values.
So the extension can see: the full URL of every tab you have open, the page title, the favicon, whether the tab is active, which window it belongs to, and even whether audio is playing. That's a surprisingly complete picture of what you're doing right now.
The thing is, tabs doesn't sound scary. It sounds like it's about organizing tabs. Most people assume it's harmless.
What an extension can do with it — and what it can't
Here's the technical truth. With just the tabs permission, an extension can read your tab URLs and titles whenever it wants. It can also listen to events: onCreated when you open a tab, onUpdated when you navigate, onActivated when you switch tabs, onRemoved when you close one.
That onUpdated listener is the key thing to understand. Combined with tabs, it means an extension can log every URL you navigate to, in real time, as it happens. Not your historical browsing — that needs the history permission separately. But everything from this moment forward? Fully accessible.
What it can't do on its own: read the actual content of web pages (that needs scripting or content scripts with host permissions), access your cookies (that needs cookies), or dig into your past browsing history. So there are real limits. But "I can watch every site you visit going forward" is already a lot.
What URLs actually reveal about you
Think about what your tab titles and URLs contain on an average day.
Your bank's login page. A WebMD article about a symptom you looked up. LinkedIn jobs at your competitor. A relationship advice forum. A political news site. A medical clinic booking page. Maybe something you'd rather not say out loud.
The tab title alone often tells a story. "Checking Account — $2,341.00 | First National" is a URL title. "Stage 2 diabetes diet — Mayo Clinic" is a URL title. Extensions with tabs + onUpdated can collect all of this without you ever knowing, and without touching the history permission that might raise more flags in a security audit.
One important caveat: if you use private/incognito browsing, extensions need the "Allow in incognito" setting enabled to see those tabs. But a lot of users turn that on during installation without thinking much about it — and then forget they did.
Real extensions that use this — and why it's sometimes fine
I don't want to make you paranoid about every extension that lists tabs. There are genuinely legitimate uses.
Tab managers like OneTab or The Great Suspender need to see your open tabs to do their job — suspending inactive ones, saving sessions, grouping related tabs. Session restore tools need to know what was open to restore it. Productivity extensions that show which tab is currently active need this permission for obvious reasons.
The question to ask is: does this extension's core function actually require knowing the URL and title of every tab I have open, in real time?
When the tabs permission is a red flag
For some extension categories, tabs has no good explanation.
Coupon and shopping extensions have no legitimate reason to monitor every URL you navigate to in real time. They need to know when you're on a shopping site — but that's what host permissions and content scripts handle. Watching all tabs goes further than that.
Ad blockers should be using webRequest or declarativeNetRequest to intercept network requests. If an ad blocker is also requesting tabs, that's worth a second look.
"Free" VPN or proxy extensions are a category I'd be especially wary of. Their core function is routing traffic — they don't need to log tab URLs to do that. When a free VPN requests tabs, ask yourself what the business model actually is.
The combination that should make you stop and think: tabs paired with <all_urls> host permissions. That means the extension can see every URL you visit and can also inject code into every page you load. That's a very powerful set of capabilities, and it warrants real scrutiny.
What the research tells us
Q Continuum's research, reported by The Register in February 2026, found 287 Chrome extensions that had collectively leaked data from 37.4 million users. A key pattern the researcher identified was that many of these extensions used combinations of tabs and broad host permissions to silently log browsing behavior — not the history permission, which is the one most people think to watch for.
You can read the full reporting at The Register's coverage. The pattern — tabs used as a substitute for history to achieve equivalent surveillance without the permission that triggers more suspicion — is exactly the kind of thing that's hard to spot without actually looking at what permissions an extension holds.
This is why permissions transparency matters more than most people realize. The permission system is supposed to help you make informed decisions, but only if you know what the permissions actually mean.
How to check your extensions right now
The most direct thing you can do: go to chrome://extensions/ in your browser, click "Details" on any extension, and scroll to the permissions section. Look for tabs specifically. Then ask whether that extension's stated purpose actually requires it.
If you want a faster way to audit multiple extensions at once, the Extenshi catalog lets you look up extensions and see their declared permissions. You can also use the permissions scan at catalog.extenshi.io/scan to check what's installed in your browser and flag anything that looks out of place.
The catalog surfaces permission combinations that are worth paying attention to — including cases where tabs shows up alongside powerful host permissions.
This doesn't require you to become a security expert. It just requires a few minutes and the willingness to ask: "why does this extension need this?"
The permission isn't the problem — the use is
The tabs permission existing isn't the problem. Chrome needs a way for tab managers and session tools to work. The API is documented, it's legitimate, and plenty of extensions use it responsibly.
The issue is when extensions request permissions they don't need for their stated function — and when users have no easy way to tell the difference. A coupon finder that silently logs your URL history is doing something qualitatively different from a tab manager that suspends inactive tabs, even if both show "tabs" in the permissions list.
Your browser extensions run with significant trust. They sit between you and everything you do online. That's worth thinking about when you're clicking "Add to Chrome" — and worth auditing occasionally even after the fact.
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
Extension fingerprinting explained: what websites can read about you from your installed add-ons
LinkedIn scanned 6,236 Chrome extensions to fingerprint users without consent. Here's how extension fingerprinting works and how to check if you're exposed.
AI extension data collection explained: what your Chrome AI tools can really access
52% of AI Chrome extensions collect user data, a 2026 study found. Here's what permissions like scripting actually let them see and how to check yours.
The `scripting` permission explained: what browser extensions can really inject into your pages
The scripting permission lets extensions run JavaScript on any page you visit — including your Zoom calls. Here's what that actually means for your privacy.