Why AliShopping Uses Only 1 Chrome Permission

The AliShopping Tools Chrome extension requests a single permission in its manifest: storage. Nothing else. This is deliberate, documented in the CWS listing, and verified by any user who clicks "Details" on the Chrome Web Store listing.

Why this matters: most competing ecommerce research extensions request 3-5 sensitive permissions including "read your browsing history" and "access data on all websites." Users click through these prompts without understanding what they just approved.

This post explains what each common permission actually grants, what AliShopping deliberately does NOT use, and how to evaluate any extension's privacy posture before installing.

The storage Permission — What AliShopping Uses

The storage permission grants access to chrome.storage.local and chrome.storage.sync APIs. This lets the extension save small amounts of data (user settings, cache, interaction counts) locally in the browser.

Storage is partitioned per-extension. AliShopping's storage cannot be read by other extensions or websites. It cannot be used to track your browsing. It cannot access your passwords, cookies, or form data.

This permission is table stakes for any extension that has user preferences or needs to cache API responses.

What AliShopping Deliberately Does NOT Request

<all_urls> Host Permission — NOT REQUESTED

Many extensions request <all_urls> which allows content-script injection on every website you visit. This is the broadest possible access — the extension can read and modify any page content on any website.

AliShopping does NOT request <all_urls>. Instead, the extension uses the content_scripts.matches field in manifest.json to declare specific URL patterns where content scripts should run (AliExpress product pages, Shopify storefronts, TikTok pages). On any page NOT matching these patterns, AliShopping has zero access.

This is a meaningful distinction. An extension with <all_urls> can read your Gmail, your bank account page, any internal company tools. An extension with specific content_scripts.matches can only run on the pages you deliberately visit within its scope.

tabs Permission — NOT REQUESTED

The tabs permission grants access to the chrome.tabs API which lets extensions query what other tabs you have open, read their URLs, and move tabs around. This is how some extensions track your browsing across sites even when the extension's content scripts are not active.

AliShopping does NOT request tabs. It cannot see what other tabs you have open. It cannot track browsing across websites.

history Permission — NOT REQUESTED

The history permission grants access to your full Chrome browsing history. Extensions with this permission can see every site you have visited, search that history, and even delete entries.

AliShopping does NOT request history. It cannot see your browsing history at all.

notifications Permission — NOT REQUESTED

The notifications permission allows extensions to show desktop notification popups. This is not dangerous by itself but signals an intent to interrupt users (often with promotional messages).

AliShopping does NOT request notifications. It cannot show desktop notifications. Interaction with the extension only happens when you actively open the panel on supported pages.

alarms Permission — REMOVED IN v15

The alarms permission lets extensions schedule background tasks. Version 14 of AliShopping added this permission for a client-side Watchlist price-check feature. Chrome MV3 auto-disabled the extension for every existing user on update, showed the "new permissions required" prompt, and many users interpreted this as "the extension is spying now" and uninstalled.

Version 15 rolled back alarms. The Watchlist feature was redesigned to work without alarms (backend cron + in-app badge instead of client-side scheduling). The extension lost measurable WAU from the permission prompt incident and has not touched permissions since.

Full policy documented internally: never add a permission on update without stakeholder sign-off. If the backend can do the work, the backend does the work.

activeTab Permission — NOT REQUESTED

The activeTab permission is more nuanced — it only grants access to the currently active tab when the user clicks the extension icon. This is less dangerous than <all_urls> but still provides broad access when triggered.

AliShopping does NOT use activeTab. Content scripts inject only on matched URLs via content_scripts.matches, which is a more restrictive and predictable access pattern.

How Competitors Compare

Competitive ecommerce research extensions typically request:

Koala Inspector (example permissions profile)

• <all_urls> — read any site you visit
• storage — save settings
• tabs — see your other tabs

Commerce Inspector

• <all_urls> — broad access
• storage
• scripting — modify page content programmatically

AliHunter

• <all_urls>
• storage
• webRequest — intercept network requests

Typical ad-spy extensions (AdSpy, Dropispy plugins where offered)

• <all_urls>
• cookies — read your website cookies
• webRequest
• webNavigation

Every paid-tool competitor has broader permissions than AliShopping. This is not because their functionality actually requires broader access — it is because building features like "track the user across tabs" is easier with tabs permission than architecting around the constraint.

AliShopping deliberately chose the constraint. The architecture is harder (cross-tab-attribution requires session-based storage and explicit user flow rather than broad tab visibility) but the privacy posture is genuinely different.

How to Verify Any Extension's Permissions

Before installing any Chrome extension:

1. Open the Chrome Web Store listing
2. Click "Details" under the extension title
3. Scroll to the bottom to the "Permissions" section
4. Read every permission and understand what it grants

If you see <all_urls>, the extension can read every page you visit. Decide if you trust that.

If you see tabs or history, the extension can track your browsing across sites. Decide if you trust that.

If you see webRequest or webRequestBlocking, the extension can intercept and modify your network traffic. This is the most powerful permission and should be reserved for trust-critical tools (ad blockers, password managers from established companies).

Why Privacy Posture is a Trust Signal

Users cannot audit extension source code before installing. Chrome does review extensions for policy compliance, but the review does not catch subtle tracking implementations.

Your best signal of extension trustworthiness is the permission profile itself. An extension that requests minimal permissions usually:

• Has architectural discipline (building features within constraints)
• Has legal/privacy-aware leadership (understands that data collection creates liability)
• Is not monetized via user-data resale (data brokers need broad access to harvest)

An extension that requests everything usually monetizes via data collection, ad injection, or reselling user behavior signals to analytics companies.

AliShopping's monetization model: optional affiliate links when you navigate from the extension to an AliExpress product. This does not require any of the broader permissions. The minimal permission posture is genuinely feature-aligned with the business model.

Install With Confidence

Install AliShopping Tools free — single storage permission, no broader access. Verify yourself by clicking "Details" on the CWS listing before approving.

If you are currently using a paid ecom research extension with broader permissions and you have not read what those permissions actually grant, do the verification now. You may discover you have granted access you did not realize.

Privacy-first tooling is a genuine differentiator in the ecommerce extension category. AliShopping built it that way deliberately.