Chrome Extension Permission Audit Report for MPExtension: Matterport Side Panel Toolbox

1. Overview

MPExtension is a Chrome extension designed to enhance the workflow of the Matterport dashboard by providing additional tools and features through a customizable side panel. This document, prepared on January 10, 2025, outlines the permissions declared in the extension’s manifest and provides a detailed analysis to ensure transparency regarding the extension’s interaction with data, particularly with respect to cookies on the *.matterport.com domain.

2. Permissions Declared in Manifest

The extension manifest includes the following permissions:

"permissions": [
  "alarms",
  "storage",
  "scripting",
  "sidePanel",
  "downloads"
],
"host_permissions": [
  "*://my.matterport.com/*",
  "*://mpextension.com/*"
]

These permissions enable the extension to:

• Use alarms to trigger periodic tasks.
• Store and retrieve user settings and data using Chrome’s storage API.
• Execute scripts on the specified domains to enhance functionality (scripting).
• Display a custom side panel (sidePanel).
• Manage file downloads (downloads).

The host_permissions allow interaction only with the my.matterport.com and mpextension.com domains.

3. Cookie Access Analysis

The extension does not declare the "cookies" permission in the manifest. As per the Chrome Cookies API documentation, this means the extension is technically unable to read, write, or modify cookies on any domain, including *.matterport.com.

The "host_permissions" declared in the manifest allow content interaction on the specified domains but do not grant access to cookies or other sensitive browser data.

For further reference, details on Chrome's permissions model can be found in the Declaring Permissions documentation.

4. Security and Privacy Considerations

MPExtension adheres to Chrome’s security guidelines and ensures user data privacy by:

• Limiting permissions to those necessary for its intended functionality.
• Excluding permissions, such as "cookies", that could interact with sensitive user data.
• Operating strictly within the boundaries defined by the declared host_permissions.

No data is collected, stored, or shared beyond the scope of the declared permissions.

5. Publicly Disclosed Privacy Practices

The privacy practices for MPExtension have been publicly disclosed in the Chrome Web Store Privacy Policy Page, confirming that:

• No data is sold to third parties outside of approved use cases.
• Data is not used or transferred for purposes unrelated to the extension's functionality.
• Data is not used to determine creditworthiness or for lending purposes.

6. Chrome Extension Settings Confirmation

To provide further reassurance, the Chrome Extension settings for MPExtension have been reviewed. The permissions visible under the extension's details page confirm the limited scope of the extension's declared permissions. Below is a screenshot of the Chrome Extension settings:

Key Observations:

• The only explicitly listed permission is "Manage your downloads", as expected from the manifest file.
• No permissions related to cookie access, such as "cookies", are displayed.
• The extension only interacts with the *.matterport.com and *.mpextension.com domains, as declared in the host_permissions.

8. Conclusion

The MPExtension: Matterport Side Panel Toolbox has been thoroughly reviewed as of January 10, 2025, to ensure compliance with Chrome's extension permissions model and user privacy guidelines. Based on the analysis provided in this document:

1. The extension's manifest does not include the "cookies" permission, and therefore, it is technically incapable of accessing, reading, or modifying cookies from *.matterport.com or any other domain.
2. The permissions listed in the extension's Chrome settings confirm that the declared permissions are limited to those explicitly needed for the extension's functionality, such as managing downloads and interacting with specified domains.
3. Publicly disclosed privacy practices and Chrome Developer documentation support the claims that the extension prioritizes user privacy and adheres to Chrome's best practices.

If you have any questions or concerns, feel free to contact me, Diego Orofino, at support@mpextension.com, and I will be happy to address them directly.