Tampermonkey® by Jan Biniok

Q304: What permissions are necessary to run Tampermonkey and why?

A304 Tampermonkey requires the following permissions. Some of them might be optional at some browsers and need to be granted only when used.

  • "notifications" for GM_notification, Tampermonkey related notifications
  • "tabs" to find the active tab and navigate, create and close tabs in general
  • "idle" to not show update notifications if your playing a game
  • "webNavigation" install userscripts, check URLs for matching scripts
  • "webRequest webRequestBlocking" install userscripts, check URLs for matching scripts, modify request details for GM_xmlhttpRequest
  • "storage" to store your userscripts
  • "unlimitedStorage" to store many of your userscripts 🤓
  • "contextMenus" for @run-at context-menu
  • "chrome://favicon/" to easily get the favicons of pages
  • "clipboardWrite" for GM_setClipboard
  • "cookies" GM_xmlhttpRequest, GM_cookies
  • "<all_urls>" to run your userscripts at every page and to allow them to modify the page
  • "downloads" GM_downloads, storing Tampermonkey backups

In Chrome these permissions translate to:

  • Read your browsing history
  • Display notifications
  • Modify data you copy and paste

Especially the first one looks a little bit strange. In fact it's not possible for Tampermonkey to get access to your browser history when it is installed. In theory Tampermonkey could access the history of all currently open tabs and store "new" history once installed, but this is neither needed nor done. However, because of this fact the Chrome team maybe thought that printing a too broad warning is better than a too flat one. There also is a bug report for this.

Edge displays similar permissions to Chrome:

  • Read your browsing history
  • Display notifications
  • Modify data you copy and paste

Edge may show additional permission labels depending on the installed version, as Edge uses its own localized strings for extension permission prompts. The underlying extension capabilities are the same as Chrome's since both use Chromium.

Especially the "Read your browsing history" label looks a little bit strange — but this is a known Chromium behavior. Tampermonkey cannot access full browser history; it can only see URLs of currently open tabs. See this bug report for details.

In Firefox these permissions translate to:

  • Access your data for all websites
  • Input data to the clipboard
  • Download files and read and modify the browser's download history
  • Display notifications to you
  • Access browser tabs
  • Store unlimited amount of client-side data
  • Access browser activity during navigation

Firefox also lists an optional "Control browser proxy settings" permission that applies only if you use Tampermonkey's proxy-related features. Firefox uses Manifest V2 for Tampermonkey, which means more granular permission labels compared to Chromium-based browsers.

Opera displays a longer set of permissions with distinct wording:

  • This extension can access your data on all websites
  • This extension can write data into the clipboard
  • This extension can create rich notifications and display them to you in the system tray
  • This extension can access your tabs and browsing activity
  • This extension can store an unlimited amount of client-side data

Despite being Chromium-based, Opera uses its own permission labels — notably "access your tabs and browsing activity" instead of Chrome's "Read your browsing history", and "write data into the clipboard" instead of "Modify data you copy and paste". The underlying capabilities are the same across both browsers.