So you’ve built a Chrome extension.<\/p>\n\n\n\n
Maybe it’s a tiny productivity helper. Or maybe you’ve gone full detective mode like I did with my Factors SDK Debugger<\/strong> \u2013 a utility that sniffs out analytics SDK implementations, monitors network calls, and tracks form submissions. It\u2019s the kind of tool that gives you X-ray vision for web pages.<\/p>\n\n\n\n Now comes the fun part: getting it into the Chrome Web Store.<\/p>\n\n\n\n On paper, it sounds simple: zip it, upload it, done.<\/p>\n\n\n\n In reality? Not quite. Here\u2019s what actually happens.<\/p>\n\n\n\n First, you need a developer account. Google charges a one-time $5 registration fee<\/strong>. Think of it as a \u201cI\u2019m serious about this\u201d filter.<\/p>\n\n\n\n You\u2019ll also want a dedicated email address \u2013 something you actually check \u2013 because that\u2019s where Google sends important alerts, policy warnings, and rejection emails.<\/p>\n\n\n\n You zip your extension folder, making sure Easy enough.<\/p>\n\n\n\n But this is where things start to get interesting once your extension isn\u2019t just a \u201chello world\u201d popup.<\/p>\n\n\n\n For my SDK debugger, the manifest asks for some pretty heavy permissions:<\/p>\n\n\n\n These aren\u2019t your typical \u201clet me access this one site\u201d permissions.<\/p>\n\n\n\n These are more like \u201cI want to see everything that\u2019s going on in the browser.\u201d And Google is very<\/strong> suspicious of that.<\/p>\n\n\n\n This is where a lot of extensions quietly die.<\/p>\n\n\n\n The Chrome Web Store has a \u201cPrivacy\u201d<\/strong> section where you must declare your data practices. For every permission and every bit of data, you need to explain:<\/p>\n\n\n\n My extension captures network calls, form data, and cookies. I had to write what felt like a small essay explaining that:<\/p>\n\n\n\n The more transparent and specific you are here, the better your chances.<\/p>\n\n\n\n You hit \u201cPublish\u201d<\/strong> and\u2026 then you wait.<\/p>\n\n\n\n Review times can range from a few hours to several days<\/strong>. During that time, Google\u2019s review bots (and sometimes actual humans) are poking at your extension, scanning:<\/p>\n\n\n\n They\u2019re basically looking for any sign that you\u2019re violating policies or doing something sketchy.<\/p>\n\n\n\n This is the part people usually only learn the hard way.<\/p>\n\n\n\n This is the number one killer.<\/p>\n\n\n\n Google will reject your extension if your requested permissions aren\u2019t narrowly scoped<\/strong> or clearly justified<\/strong>. Even if your extension genuinely needs broad access, you have to justify every single permission like you\u2019re defending it in court.<\/p>\n\n\n\n Common rejection reason:<\/strong> Rough translation:<\/strong> How to fix it:<\/strong> Bad:<\/p>\n\n\n\n I need Better:<\/p>\n\n\n\n I use Apply that level of detail to every<\/em> permission.<\/p>\n\n\n\n Requesting Google\u2019s default assumption is: \u201cWhy do you need access to everything<\/em>?\u201d<\/p>\n\n\n\n If your extension legitimately needs full web access (like a debugging tool does), you\u2019ll need to:<\/p>\n\n\n\n If you really must use No privacy policy? Expect an automatic rejection.<\/p>\n\n\n\n Even if your extension is free. You need a publicly accessible privacy policy URL<\/strong> that clearly explains:<\/p>\n\n\n\n You don\u2019t need a 30-page legal document, but you do need something clear, honest, and easily accessible.<\/p>\n\n\n\n Chrome extensions are supposed to have a single, well-defined purpose<\/strong>.<\/p>\n\n\n\n My SDK debugger:<\/p>\n\n\n\n That sounds like three different things, but I had to frame it as one coherent purpose:<\/p>\n\n\n\n \u201cDebugging and verifying analytics SDK implementations.\u201d<\/p>\n<\/blockquote>\n\n\n\n If your extension:<\/p>\n\n\n\n \u2026you\u2019re going to get flagged. Split multi-purpose extensions into separate ones or tie everything tightly to one clear, central purpose.<\/p>\n\n\n\n If your extension injects scripts into web pages (for example, an Modern sites often have strict CSP headers that block:<\/p>\n\n\n\n A common workaround is to configure your content script with But doing this means:<\/p>\n\n\n\n Google will look at this closely, so don\u2019t be vague about it.<\/p>\n\n\n\n Sometimes you\u2019ll get rejected for reasons that feel\u2026 odd.<\/p>\n\n\n\n One developer reportedly got flagged because their extension description said it \u201crequires local storage.\u201d<\/strong> Not because it actually used Pro tip:<\/strong> Small wording tweaks can make a big difference.<\/p>\n\n\n\n Manifest V3 is now the standard. If you\u2019re still on V2, you\u2019re not going anywhere.<\/p>\n\n\n\n V3 changes how extensions work, especially around:<\/p>\n\n\n\n I had to completely refactor my extension from V2 to V3, moving from persistent background pages to service workers and redesigning how I capture network calls.<\/p>\n\n\n\n If you\u2019re starting fresh, start with V3 from day one. It\u2019s painful to retrofit later.<\/p>\n\n\n\n You technically need at least one<\/strong> screenshot to publish, but realistically you want 3\u20135 solid ones<\/strong> showing your extension in action.<\/p>\n\n\n\n The Chrome Web Store has some annoyingly specific requirements. Your screenshots should:<\/p>\n\n\n\n For my SDK debugger, I had to stage specific \u201cscenes\u201d:<\/p>\n\n\n\n It feels like overkill, but good screenshots really do help both with approval and discoverability.<\/p>\n\n\n\n Your manifest\u2019s Bad:<\/p>\n\n\n\n SDK Debugger Tool for Analytics<\/p>\n<\/blockquote>\n\n\n\n Better:<\/p>\n\n\n\n Factors SDK Debugger \u2013 Debug Analytics Implementations & Monitor Network Calls<\/p>\n<\/blockquote>\n\n\n\n Your long description supports basic formatting, so use headings and bullet points to make it scannable. Avoid keyword stuffing \u2013 Google doesn\u2019t like that either.<\/p>\n\n\n\n If you\u2019re building an internal tool<\/strong> like mine (primarily for your own team), you may not need full public publication.<\/p>\n\n\n\n You can:<\/p>\n\n\n\n This route can reduce friction with reviews and still give you a smooth install\/update experience, at the cost of a smaller audience.<\/p>\n\n\n\n A bit of prep work goes a long way.<\/p>\n\n\n\n Do these things first:<\/p>\n\n\n\n Don\u2019t take it personally. Rejection is almost part of the process.<\/p>\n\n\n\n Most rejections are due to:<\/p>\n\n\n\n Read the rejection email carefully, fix exactly what\u2019s mentioned, and resubmit.<\/p>\n\n\n\n There\u2019s no penalty for multiple submissions, as long as you\u2019re actually addressing the issues and not trying to sneak around policies.<\/p>\n\n\n\n Once your extension is live, you don\u2019t want to manually upload zips forever.<\/p>\n\n\n\n After the first manual submission, you can set up GitHub Actions (or any CI\/CD pipeline)<\/strong> to automate future updates.<\/p>\n\n\n\n You\u2019ll need:<\/p>\n\n\n\n The pipeline can:<\/p>\n\n\n\n The first time is always manual, but after that, you can treat Chrome Web Store publishing like any other deployment step.<\/p>\n\n\n\n The Factors SDK Debugger<\/strong> exists because our team kept asking the same questions:<\/p>\n\n\n\n I built the extension to answer those questions automatically.<\/p>\n\n\n\n It:<\/p>\n\n\n\n Publishing it internally<\/strong> was easy.<\/p>\n\n\n\n Getting it Web Store\u2013ready<\/strong>? That took work \u2013 and three rejections<\/strong>.<\/p>\n\n\n\n The fourth submission<\/strong> finally went through. Review time: about 18 hours.<\/p>\n\n\n\n Publishing a Chrome extension isn\u2019t just about writing code.<\/p>\n\n\n\n It\u2019s about:<\/p>\n\n\n\n If you\u2019re building something simple with minimal permissions, you\u2019ll probably sail through without much drama.<\/p>\n\n\n\n If you\u2019re building a powerful debugging or automation tool that needs broad access, expect a few rejections. Treat each one as feedback on how to be more precise and transparent.<\/p>\n\n\n\n And if you decide it\u2019s not worth jumping through all the hoops for a public listing, the trusted tester<\/strong> or private<\/strong> route is always there. Some of the best tools live quietly inside a small team and never see the public store at all.<\/p>\n\n\n\n Either way, zip that folder and start the journey. Collect a few rejections. Tune the wording. Iterate.<\/p>\n\n\n\n You\u2019ll get there.<\/p>\n","protected":false},"excerpt":{"rendered":" So you’ve built a Chrome extension. Maybe it’s a tiny productivity helper. Or maybe you’ve gone full detective mode like I did with my Factors SDK Debugger \u2013 a utility…<\/p>\n","protected":false},"author":1,"featured_media":150,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[8,4],"tags":[],"class_list":["post-30","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-learn-with-me","category-tech-posts"],"jetpack_featured_media_url":"https:\/\/balamurali.in\/blog\/wp-content\/uploads\/2026\/02\/chrome_extension_publishing.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/posts\/30","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/comments?post=30"}],"version-history":[{"count":1,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/posts\/30\/revisions"}],"predecessor-version":[{"id":32,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/posts\/30\/revisions\/32"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/media\/150"}],"wp:attachment":[{"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/media?parent=30"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/categories?post=30"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/balamurali.in\/blog\/wp-json\/wp\/v2\/tags?post=30"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n\n\n\nThe “Simple” Process (And Where It Gets Messy)<\/h2>\n\n\n\n
Step 1: The $5 Toll Booth<\/h3>\n\n\n\n
\n\n\n\nStep 2: Packaging Your Baby<\/h3>\n\n\n\n
manifest.json<\/code> is at the root (not tucked away in some nested folder).<\/p>\n\n\n\n\n
<all_urls><\/code> (to monitor any website)<\/li>\n\n\n\nwebRequest<\/code> (to intercept network calls)<\/li>\n\n\n\ncookies<\/code><\/li>\n\n\n\nstorage<\/code><\/li>\n\n\n\ntabs<\/code><\/li>\n<\/ul>\n\n\n\n
\n\n\n\nStep 3: The Privacy Tab Interrogation<\/h3>\n\n\n\n
\n
\n
\n\n\n\nStep 4: The Waiting Game<\/h3>\n\n\n\n
\n
\n\n\n\nThe Challenges Nobody Warns You About<\/h2>\n\n\n\n
1. The Permission Justification Gauntlet<\/h3>\n\n\n\n
\u201cYour product violates the \u2018Use of Permissions\u2019 section of the policy.\u201d<\/p>\n\n\n\n
\u201cYou\u2019re asking for a lot, and your explanation is too vague.\u201d<\/p>\n\n\n\n
Be comically, almost painfully specific.<\/p>\n\n\n\n\n
storage<\/code> to store data.<\/p>\n<\/blockquote>\n\n\n\n\n
storage<\/code> to persist user preferences across sessions, including:<\/p>\n\n\n\n\n
\n\n\n\n2. The
<all_urls><\/code> Death Sentence<\/h3>\n\n\n\n<all_urls><\/code> or patterns like http:\/\/*\/<\/code> and https:\/\/*\/<\/code> is a massive red flag.<\/p>\n\n\n\n\n
activeTab<\/code> instead, if your use case allows it<\/li>\n<\/ul>\n\n\n\n<all_urls><\/code>, assume you\u2019ll have to defend that choice in detail in your listing and privacy section.<\/p>\n\n\n\n
\n\n\n\n3. The Privacy Policy Vacuum<\/h3>\n\n\n\n
Even if it\u2019s only used internally.
Even if you swear you don\u2019t track anything.<\/p>\n\n\n\n\n
\n\n\n\n4. The \u201cSingle Purpose\u201d Trap<\/h3>\n\n\n\n
\n
\n
\n
\n\n\n\n5. The Content Security Policy Tango<\/h3>\n\n\n\n
interceptor.js<\/code> running in the MAIN<\/strong> world), you\u2019re going to run into Content Security Policy (CSP)<\/strong>.<\/p>\n\n\n\n\n
world: \"MAIN\"<\/code> and then inject your script via a <script><\/code> tag. This lets your code run in the same context as the site\u2019s scripts.<\/p>\n\n\n\n\n
\n\n\n\n6. The Reviewer Whack-a-Mole<\/h3>\n\n\n\n
storage<\/code>, but because of how the description was phrased. The word \u201crequire\u201d can sometimes trip automated checks and make it sound like you\u2019re hoarding user data.<\/p>\n\n\n\n
Have a friend or teammate review your Chrome Web Store listing. Fresh eyes catch:<\/p>\n\n\n\n\n
\n\n\n\n7. The Manifest Version Vortex<\/h3>\n\n\n\n
\n
\n\n\n\n8. The Screenshot Perfection Requirement<\/h3>\n\n\n\n
\n
\n
\n\n\n\n9. The Description SEO Balancing Act<\/h3>\n\n\n\n
name<\/code> and description<\/code> are indexed by the Chrome Web Store search. You want them to:<\/p>\n\n\n\n\n
\n
\n
\n\n\n\n10. The Trusted Tester Escape Hatch<\/h3>\n\n\n\n
\n
\n\n\n\nHow to Not Lose Your Mind<\/h2>\n\n\n\n
Before You Hit Publish<\/h3>\n\n\n\n
\n
There\u2019s an audit specifically for extensions. It checks performance and best practices.<\/li>\n\n\n\n
No other extensions, no cached data. This helps you catch issues you might miss in your daily driver profile.<\/li>\n\n\n\n
Write down why you need each permission and what data it touches. Then copy-paste that into the privacy section and your store listing.<\/li>\n\n\n\n
Optional, but it\u2019s handy if your extension ever reaches manual review. It also helps you explain the extension to users.<\/li>\n\n\n\n
There are file size limits. Optimized images load faster and keep the upload process painless.<\/li>\n<\/ol>\n\n\n\n
\n\n\n\nIf You Get Rejected<\/h3>\n\n\n\n
\n
\n\n\n\nThe Automated Submission Shortcut<\/h3>\n\n\n\n
\n
\n
\n\n\n\nMy Extension\u2019s War Story<\/h2>\n\n\n\n
\n
\n
\n
I had to expand my privacy and description section from a short paragraph into several detailed explanations, breaking down each permission and what it touches.<\/li>\n\n\n\n
I spun up a simple site (GitHub Pages works well) with a proper, written-out privacy policy and linked it in the listing.<\/li>\n\n\n\n
I retook the screenshots using DevTools and cropping so only the content area and extension UI were visible, in the exact required resolutions.<\/li>\n<\/ol>\n\n\n\n
\n\n\n\nThe Bottom Line<\/h2>\n\n\n\n
\n