Published: May 29, 2025
From Chrome 138 there's a series of changes to user scripts
(chrome.userScripts API) in Chrome Extensions, focusing on enhancing security
and providing users with more granular control. This update addresses valuable
feedback received from the developer community and their users.
Previously, enabling user scripts required turning on the global Developer Mode toggle within Chrome. We've heard from you that this approach had some key limitations as it relates to security, functionality, and enterprise.
Specifically, the reliance on the global Developer Mode toggle had the following issues:
- Security Risks: Once developer mode was enabled, new extensions which
requested the
userScriptspermission automatically gained the ability to run user scripts, potentially without explicit user consent or awareness of the risks associated with each new extension. - Functionality Overload: The Developer Mode toggle controls several other developer-oriented permissions, making it less precise for managing the specific permission to run user scripts.
- Enterprise Challenges: Many enterprises prefer not to enable developer
mode on managed devices, which effectively prevents them from deploying or
using extensions that rely on the
chrome.userScriptsAPI.
To address these concerns and improve the security and usability of Chrome extensions, we are transitioning from the global Developer Mode toggle to a new per-extension Allow User Scripts toggle.
This new toggle, accessible on the extension detail page from Chrome 138
(chrome://extensions/?id=<your_extension_id>), lets users explicitly control
the extension's ability to run user scripts on an individual extension basis.
This provides more granular control and reduces potential security risks.
During the transition period, versions of Chrome prior to 138 will continue to
use the Developer Mode toggle, while versions at 138 or newer will use the
new per-extension Allow User Scripts toggle. On the first launch of 138 and
newer a one-time migration will automatically enable the new toggle for existing
extensions that have been granted the userScripts permission if the
Developer Mode toggle is enabled. All new extensions installed after the
migration will default to the Allow User Scripts toggle being set to off.
In addition, to check the availability of the User Scripts API, extensions
previously had to attempt to access chrome.userScripts. This threw an error if
developer mode was disabled. From Chrome 138, the behavior aligns with other
APIs and the API is undefined if unavailable. Nonetheless, we'd recommend this
check to determine if the API is available since it covers all Chrome versions:
function isUserScriptsAvailable() {
try {
// Method call which throws if API permission or toggle is not enabled.
chrome.userScripts.getScripts();
return true;
} catch {
// Not available.
return false;
}
}
Administrators who previously managed user scripts by disabling developer mode
should now use the blocked_permissions policy or the Google Admin console to
control extensions that use the chrome.userScripts API. We are evaluating
further changes to how chrome.userScripts access can be controlled for
force-installed extensions so stay tuned to administrator release
notes for updates.
We believe this change will provide users with more precise control over extension capabilities, leading to enhanced security and a more transparent experience. We encourage extension developers to update their documentation to reflect this change and ensure a smooth transition for their users.
You can learn more about the changes and new behavior in our documentation.
We appreciate the feedback from the developer community that drove this improvement and remain committed to creating a secure and user-friendly experience for all.