From c9b76428f2fea280cf472f9b2ffe6bf23495e600 Mon Sep 17 00:00:00 2001 From: Richard Bloor Date: Fri, 5 Jun 2026 11:39:29 +1200 Subject: [PATCH] Issue 34349 additional incognito key advice --- .../manifest.json/incognito/index.md | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/files/en-us/mozilla/add-ons/webextensions/manifest.json/incognito/index.md b/files/en-us/mozilla/add-ons/webextensions/manifest.json/incognito/index.md index 99488440ae9cfe3..4934b43437c36f2 100644 --- a/files/en-us/mozilla/add-ons/webextensions/manifest.json/incognito/index.md +++ b/files/en-us/mozilla/add-ons/webextensions/manifest.json/incognito/index.md @@ -53,7 +53,22 @@ This is a string that can take any of these values: - "not_allowed": private tabs and windows are invisible to the extension. -## Example +## Privacy considerations + +If your extension needs to maintain the privacy expectations of the private browsing mode, omit the `incognito` key from your `manifest.json`. Omitting the key preserves the default behavior where the extension doesn't run in private browsing windows. + +If your extension uses `"spanning"` mode to access private and non-private windows, take care not to leak state from private to non-private browsing sessions. A common mistake is sending data from a content script running in a private browsing tab to an external server with a network request made from the background page. Because the background page shares cookies with the main browsing session, this can make private browsing activity linkable to the non-private session. + +To avoid this, use [`credentials: "omit"`](/en-US/docs/Web/API/RequestInit#credentials) and [`cache: "no-cache"`](/en-US/docs/Web/API/RequestInit#cache) in any `fetch()` calls from the background page that may involve data originating from private browsing windows: + +```js +fetch(url, { + credentials: "omit", + cache: "no-cache", +}); +``` + +## Examples ```json "incognito": "spanning"