rebloor
commented
3 months ago @Rob--W please provide clarification here. I don't understand why my documentation of "add the recommendation to delete the incognito key from manifest.json" got the response "This is incorrect."
Add advice from https://github.com/mdn/content/pull/33661#discussion_r1606120565 :
Please add the recommendation to delete the incognito key from manifest.json if an extension is designed to maintain the privacy expectations of Private browsing mode.
The main thing is to not leak state from private browsing to non-private browsing. A common mistake of extensions is to send the data from a content script (potentially in a tab in a private browsing window) to an external server through a network request from the background page. Since the background script shares the same cookies as the main browsing session, this would result in the activity from the private browsing window being linkable to the non-private browsing session. A way to avoid this is to use the credentials: "omit" flag in fetch (along with cache: "no-cache")
Noting comment on the original change made here.