See the documentation: https://developer.chrome.com/extensions/permission_warnings
That's how tabs permission has always been displayed in the dialog.

It's not specific to active tab as it's possible to use chrome.tabs to read the browsing history in any tab, so the message is correct, but I agree it's overly broad -- because the extension can read only the URLs declared in permissions, that is in cases such as this one (when there are only several sites allowed) the dialog message might have been "Read your browsing history on the sites listed above".

Indeed you are right, only urls provided.
So you think there is a chance to make a more "User friendly" message out of this?

Able to reproduce this issue on Windows 10, Mac OS 10.13.5 and Ubuntu 14.04 on the reported version 67.0.3396.87 and the latest Canary 69.0.3457.2..
While trying to add the extension, can see the message "Read your browsing history".

This is a Non-Regression issue as this behavior is observed from M-60 chrome builds.

Hence marking this as Untriaged for further updates from Dev.

Thanks..

Deleted: 852704.mp4 832 KB

	852704.mp4 832 KB View Download

> because the extension can read only the URLs declared in permissions, that is in cases such as this one (when there are only several sites allowed) the dialog message might have been "Read your browsing history on the sites listed above".

This isn't quite right.  With the "tabs" permission, the extension can "see" the URLs (not the page contents!) of any open tab.  This means it's pretty trivial to write an extension that effectively has all your browsing history from the time of installation:

chrome.tabs.onUpdated.addListener(function(tab) {
  recordUrl(tab.url);
});

We could potentially rephrase this to be "read your browsing history from the time of extension installation", but that's not very user friendly, and isn't a very significant difference (in the long run).

While it is a scary permission, user tracking is something we consider dangerous, and I'm not sure there's much we could do to tone this down while keeping it accurate for users.

I'm going to close this out for now, but I'm open to suggestions of ways we could change this if anyone has ideas.

The reason I rased this is that user was scared by the message, and I couldn't see the harm at first, now I do ;)
I would like the idea of rephrasing, which will be even more accurate from tech. perspective, something like:
"Record browsing activity on sites listed above, if specified"

In addition there is no mention of reading users cpu activity ;)

> I would like the idea of rephrasing, which will be even more accurate from tech. perspective, something like:
"Record browsing activity on sites listed above, if specified"

This still isn't quite accurate - the `tabs` permission allows recording *all* sites the user goes to, not just the ones on the origins specified in the permissions entry.  For instance, an extension like below can see *all* URLs the user has open, even though it doesn't specify any sites:

manifest.json:
{
  "name": "See all open tabs",
  "description": "Alert the user of all open tabs on browser action click.",
  "version": "0.1",
  "manifest_version": 2,
  "permissions": ["tabs"],  // Note: no origin permissions
  "background": { "scripts": ["background.js"], "persistent": false },
  "browser_action": {}
}

// background.js
chrome.browserAction.onClicked.addListener(function() {
  chrome.tabs.query({}, function(tabs) {
    let urls = [];
    for (let tab of tabs)
      url.push(tab.url);
    alert('Your tabs are: ' + JSON.stringify(urls));
  });
});

So telling the user that the extension could only see the browsing activity on the sites above is inaccurate.  (And, of course, the fact that this extension only does it based on the user clicking the browser action is totally optional - it could easily just listen to tabs.onCreated and tabs.onUpdated and send information to a server.)

The permissions to specific origins (e.g., specifying "https://*.example.com/*") allows the extension to inject scripts, see and modify cookies, see and modify network requests, etc for that site.  This results in the warning "Read and change your data on example.com sites", which is (potentially) more dangerous than just seeing the browsing history.  So these two really are different capabilities.

Does that make sense?

> In addition there is no mention of reading users cpu activity ;)

Yeah, we don't warn for every capability the extension has (for instance, we also don't warn for the storage API). Whether a permission has a warning displayed to the user is largely based on whether we think the API could be significantly abused.  Tracking user browsing activity is potentially very harmful, since it can contain a lot of PII (personally-identifiable information), and is something users should definitely have a say in.  Being able to see user CPU activity isn't as harmful, because it's fairly anonymous and doesn't have any PII, and doesn't have many abuse vectors.  As such, we don't explicitly warn the user about it.