1d • General discussion
CASA Triggered… Here’s What I Learned
I’m launching a Chrome extension and recently found out that requesting gmail.modify was enough to trigger a CASA review. I’m fully supportive of Google taking security seriously… I just didn’t realize upfront how quickly certain scopes escalate the process.
Note for my extension I am not changing, storying, editing, modifying or even reading the emails inside Gmail.
Here’s what actually triggered it:
1. Using gmail.modify
Even though my extension only needs to delay and adjust outgoing emails, any scope that can read or modify message content pushes you toward CASA.
2. chrome.identity + OAuth
Once you combine OAuth with a scope that touches user email, Google wants a clear explanation of how data is handled end-to-end.
3. Storing small amounts of email-related activity
Even encrypted metadata (like tracking edits) requires details on encryption, access, storage, and retention.
What Google asked me for:
- Encryption algorithms
- Screenshot of encrypted Firestore data
- Whether any Google user data is stored
- Why gmail.modify is required
- Where the data lives and who can access it
The process is thorough and ultimately a good thing… it just sets a higher bar than I expected when I started.
If you’ve gone through CASA or are preparing for it, share your experience. Hopefully this helps other devs know what to expect before they hit that point.
0
0 comments
CASA Triggered… Here’s What I Learned
powered by
skool.com/chrome-extension-developers-6389
Build Chrome extensions faster. Fix MV3, API, and automation issues other devs can’t... including undocumented problems/freezes Google won’t explain.
Suggested communities
Powered by