Open danny0838 opened 2 weeks ago
gildas-lormeau
commented
1 week ago Thank you again for the detailed issue. I fixed it in Chrome since it's an easy change, and the repository is specific to the MV3 port. Regarding Firefox, do you confirm the extension page used to fetch resources would be visible to the user?
danny0838
commented
1 week ago I may be wrong but currently I don't see any way to create an extension page invisibly. It may be possible through the chrome.offscreen in MV3, but unfortunately it's not yet supported in Firefox.
gildas-lormeau
commented
1 week ago Thanks for the confirmation, I had a doubt and I'm pretty sure you're right. It's not great in terms of user experience. Maybe I'll wait for Mozilla to implement the offscreen API...
danny0838
commented
1 week ago You are right. Though I think the inconsistency and potential security concern also deserves a care...
Besides saving resources with a visible extension page in the same session as a tab, the other choice may be to simply disallow (or provide a warning about) saving a private/container tab.
gildas-lormeau
commented
1 week ago I'm wondering if the page of the sidebar could be used for this. Maybe that could be an acceptable workaround, i.e. force the user to let the sidebar open.
Describe the bug When saving a page in a private/incognito window, resources fetched by the bacgkround script of the extension are in the same session as a normal window, and thus can result in an inconsistent state or, worsely, leak private information.
For Chromium this could be fixed using the
incognito: splitmanifest, which forces the extension to use incognito-specific background scripts.For Firefox, fetches for a private tab need to be done in an extension page in a private window. Additionally, the same issue also applies to a page in a non-default container.
To Reproduce
Expected behavior Resources should be saved correctly.
Environment