If you have a Chrome Extension (i.e. IETab) that requires a lot of permissions for all sites you visit (such as "tabs", "webRequest" and "webNavigation"). Is it possible with GPO or registry settings to restrict which sites this extension is allowed to have these permissions and thus overriding the Manifest?
I have noted that there is an ExtensionSettings GPO with an "runtime_block_hosts" key, however, it does not seem to actually remove the extensions permissions as expected when the extension itself requests the permissions for all sites in its manifest.
The Manifest is part of the extension and should not be modified, so while the manifest is set up to allow access to all sites if the browser permissions block it the browser won't run that extension on a tab that it's been blocked from accessing.
The reason for this is the extension authors don't know what sites you want it to run on or not to run on so they have to set the manifest to all sites.
As Bernd and I think you have figured there is the ExtensionSettings GPO these work after the manifest file so if the manifest file or the GPO block access to a specific site the browser will no allow the extension access to that site.
Have you defined the ExtensionSettings via GPO under the Computer settings versus User settings in the respective GPO? Computer settings take absolute preference and will enforce. Also, the default configuration can be set for the special ID '*', which will apply to all extensions that don't have a custom configuration set in the policy.