Tabs API is usable without tabs permission.

chrome/renderer/extensions/dispatcher.cc

Index: chrome/renderer/extensions/dispatcher.cc
diff --git a/chrome/renderer/extensions/dispatcher.cc b/chrome/renderer/extensions/dispatcher.cc
index 7e4d3104817f1c9d652fee33e56fe477c4ed30b7..a828f2cee2dd7acfe3be50e32dc63386b0fcd5b9 100644
--- a/chrome/renderer/extensions/dispatcher.cc
+++ b/chrome/renderer/extensions/dispatcher.cc
@@ -1063,19 +1063,7 @@ bool Dispatcher::CheckCurrentContextAccessToExtensionAPI(
     return false;
   }
 
-  // We need to whitelist tabs.executeScript and tabs.insertCSS because they
-  // are granted under special circumstances with the activeTab permission
-  // (note that the browser checks too, so this isn't a security problem).
-  //
-  // Only the browser knows which tab this call will be sent to... sometimes we
-  // *could* figure it out (if the extension gives an explicit tab ID in the
-  // call), but the expected case will be the extension passing through -1,
-  // meaning the active tab, and only the browser safely knows what this is.
-  bool skip_permission_check = (function_name == "tabs.executeScript") ||
-                               (function_name == "tabs.insertCSS");
-
-  if (!skip_permission_check &&
-      !context->extension()->HasAPIPermission(function_name)) {
+  if (!context->extension()->HasAPIPermission(function_name)) {
     static const char kMessage[] =
         "You do not have permission to use '%s'. Be sure to declare"
         " in your manifest what permissions you need.";