Browser Extensions implementation checklist

Ensure manifest_version is set to 3 and no deprecated Manifest V2 keys (like background.scripts or web_accessible_resources as strings) are present.

Verify that host_permissions only include specific domains required for functionality rather than using broad <all_urls> patterns.

Explicitly list only the specific files (images, fonts, scripts) that need to be accessible to web pages in the web_accessible_resources array with strict matches.

Cross-reference the 'permissions' array with your code to remove any unused APIs like 'tabs', 'storage', or 'management' that trigger additional review scrutiny.

Ensure the 'action' key is used instead of 'browser_action' or 'page_action' and includes default_icon, default_title, and default_popup.

Verify that the background service worker does not rely on global state; use chrome.storage.local or session to persist data across worker restarts.

Ensure all chrome.runtime.onMessage and other event listeners are registered synchronously at the top level of the service worker script.

Convert all instances of setInterval or setTimeout in background scripts to the chrome.alarms API to ensure execution after service worker suspension.

Add try-catch blocks and check for chrome.runtime.lastError when using sendResponse to prevent service worker crashes on port closure.

Measure service worker boot time; ensure it completes execution in under 50ms to prevent browser-side termination during heavy load.

Define a strict CSP in manifest.json that disallows 'unsafe-eval' and restricts script-src to 'self'.

Use DOMPurify or a similar library when injecting dynamic content into the page via content scripts to prevent XSS vulnerabilities.

Verify that no LLM or third-party API keys are hardcoded in the extension; use a proxy backend or chrome.storage for user-provided keys.

Check that chrome.runtime.onMessageExternal is either not used or has a strict whitelist of allowed sender IDs to prevent unauthorized control.

Ensure PII or authentication tokens are stored in chrome.storage.local (unencrypted) only if necessary, or use a secure remote session.

Wrap all injected UI elements in a Shadow Root to prevent host page CSS from leaking into the extension and vice versa.

If not using Shadow DOM, ensure all CSS classes use a unique, extension-specific prefix to avoid naming collisions with target websites.

Use 'matches' and 'exclude_matches' in the manifest to restrict content scripts to only the specific sub-paths where functionality is required.

Ensure content scripts do not expose sensitive extension functions to the window object of the host page.

If using chrome.scripting.executeScript, verify that the 'target' object includes the correct tabId and frameIds.

Verify that the total extension package size is minimized; compress all PNG/SVG icons and minify bundled JavaScript.

Confirm that icons are provided in all required sizes: 16x16, 32x32, 48x48, and 128x128 pixels.

If using chrome.storage.sync, verify that the data payload per item is under 8KB and the total is under 100KB.

Ensure the popup or side panel displays a loading indicator immediately if data is being fetched from an external API or background script.

Test extension behavior when the browser is offline; ensure UI elements fail gracefully without hanging.

Ensure the privacy policy URL is active and specifically describes how user data is collected, used, and shared per CWS Developer Terms.

Review the extension description and features to ensure it serves a single, clear purpose as required by Chrome Web Store policies.

Verify that the 440x280 small tile, 920x680 large tile, and 1400x560 marquee tile images are ready and meet Chrome's design guidelines.

Integrate a build script that syncs the version number in package.json with the version field in manifest.json before every release.

Run the extension in Firefox (using polyfills if necessary) and Safari to ensure logic doesn't rely on Chrome-only non-standard behaviors.