Permission justifications

• Background justification

Background permission is necessary to keep our background script execute as soon as possible before the user opens the browser because of the async nature of storage. A critical use case is to perform initialization checks (with an async call to storage) so that it completes the async operation before the user is able to click the extension action button on the toolbar, to prevent opening the default onboarding flow when the user has already completed onboarding and has already saved account data in the storage, such scenario would make user potentially overwrite his existing data when proceeding with onboarding again.

• Management justification

It is necessary to use the chrome.management.onEnabled API when the user has disabled and re-enabled the extension so that our extension state could be properly initialized from the storage.

• Notifications justification

Removed, it's not necessary at this point.

• Storage justification

We use the Storage API to store encrypted user account data and various personalization settings such as AES ciphertext, password hash, salt hashes, login retry, lockout metadata, last activity time, vault timeout, and more.

• Tabs justification

We use tabs to read the active tab's title', url', and `favIconUrl' properties, we need them to display this information to the user when authorizing the connection to the website for identification purposes, and also to store this data in the storage for tracking the authorized websites.

• Host permission justification

We want the extension to inject JS snippets with SDK to any website that uses the https scheme. It's necessary to allow any website that wants to integrate with our product to be able to communicate with our extension using injected snippets and subscribe to events and to detect if the user has installed our extension.

• Are you using remote code?

No