Local Password Manager

About

1. Single Purpose Description
A secure, offline-first password manager that allows users to generate, encrypt, and store credentials locally. It enables users to auto-fill login forms on websites and copy credentials to the clipboard directly from the extension popup.

2. Permission Justifications
Permission: storage

Justification: This permission is strictly used to save the user's encrypted password vault and application settings (such as the session timeout timestamp) locally within the browser's storage (chrome.storage.local and chrome.storage.session). No data is ever transmitted to external servers.

Permission: activeTab

Justification: This permission is required to identify the current website's domain (URL) when the user opens the extension. This allows the extension to filter and display only the passwords relevant to the site the user is currently visiting, and to generate the correct favicon for the UI. It also grants temporary access to the current page to perform the auto-fill action only when initiated by the user.

Permission: scripting

Justification: This permission is used to programmatically inject a content script into the active web page only when the user explicitly clicks the "Fill" button. The script locates username and password input fields on the page and populates them with the credentials selected by the user.

Permission: clipboardWrite

Justification: This permission is used to allow the user to copy their username or password to their system clipboard by clicking the "Copy" button within the extension interface.

3. Remote Code Use (Important)
You should likely select "No" for this.

Since we updated your code to remove Firebase and you are using Manifest V3, Remote Code is technically prohibited. Your extension is now self-contained (all the JavaScript is inside the files you uploaded: popup.js, background.js, crypto logic).

If there is a checkbox asking "Does your extension use remote code?": Uncheck it / Select No.

If you are forced to enter text: You may have a lingering file in your upload or the store is flagging something. However, if you must justify it, check your manifest.json again. If content_security_policy is present and allows remote sources, remove it.

Recommendation: Ensure you deleted the firebase/ folder and firebase lines from package.json before zipping your file. If you have done this, you do not use remote code.

4. Data Usage Certification
When you scroll down to the data usage section, you will see checkboxes. Here is how you should likely answer based on the code we wrote:

Does your extension collect user data? -> No (Because chrome.storage.local is considered local to the device, not "collection" by you, the developer).

Note: If you select "Yes" (to be safe because you store passwords), you must specify that it is "Authentication information" and "Personal communications" (passwords), but then you must certify that "The data is not sold to third parties", "The data is not used for lending/credit", etc.

Safest/Most Accurate Route for this Local Extension: Since the data stays on the user's machine and you (the developer) never see it:

Do you collect user data? -> No.

If the form forces you to declare storage as collection: Select Authentication information, and mark that it is used for "App functionality" only.

5. Reviewing the manifest.json
Before you submit, ensure your manifest.json looks exactly like the clean version we created. If you still have host_permissions pointing to Firebase or Google, the reviewer will reject the justifications above.