I actually answered a similar question in another forum, here it is copy/pasted:
Basically, we need to look at the permissions an extension requires. The permissions an extension request on install through the browser user interface is not fine-grained enough to determine whether the extension is potentially fingerprintable.
An extension is just an archive you can extract packaging some HTML/CSS/JavaScript.
So if you look at the source code of an extension, you will find in it a file called the manifest, which lists resources and permissions of the extension.
This is not an exhaustive list and you should not use it to determine if an extension is fingerprintable.
Furthermore, the situation is different for Firefox and Chromium browsers! This is focusing on the Firefox side.
Here are some things we can look out for:
- Web accessible resources, this can be icons, CSS or other, which a page can view, is probably unique per extension
- Content scripts, this is basically whether the extension can inject a script and modify the webpages directly
- Network/DNS requests, extensions can intercept requests an potentially modify them
- specific URL or <all_urls>, which allow extension to make intervention in specific websites
- others I forget now most probably
To function properly, an extension will sometimes requires multiple of those permissions. To take the example of an extension adding a button to YouTube, it will require at the minimum to use a content script, and to access youtube.com.
There are cases where an extension will require more permissions than needed (the <all_urls> is a classic one), but for example uBlock Origin needs it. Sometimes an extension doesn’t need that much permission technically, but the permission you can ask is not fine grained enough.
Sometimes, if your extension need to be displayed as an overlay on the page, you can only do it by modifying the page (an example would be a mouse gesture extension: since it relies on the position of the cursor, this can only happen by using a content script injected into the page. Even though, the function of the extension is not reliant on the website itself)
Now, even if an extension modifies the page content, it doesn’t mean that this can be used as a stable fingerprintable indicator. For example if an extension only randomly modify a webpage, it can’t be used as a reliable signal/metric.
As you can probably guess, it’s hard to reason about all of these parameters, even if you know what to look for. Which is why we recommend not to use extensions at all.
The solution I mentioned would help inform the user by indicating cases where extensions are not fingerprintable at all and show when permissions requested are potentially fingerprintable.