Throw away requests that are not in the default cookie store or requests that we can't be certain what cookie store they are in (#207)

jonathanKingston · web-flow · commit 4ff6a9f21ff2 · 2017-09-28T20:33:17.000+01:00
diff --git a/js/capture.js b/js/capture.js
@@ -82,20 +82,37 @@ const capture = {
   async shouldStore(info) {
     const tabId = info.id || info.tabId;
     let documentUrl, privateBrowsing;
+    // Ignore container tabs as we need to store them correctly
+    //  showing a simpler graph just for default means we won't confuse users
+    //  into thinking isolation has broken
+    const defaultCookieStore = 'firefox-default';
+    if ('cookieStoreId' in info
+        && info.cookieStoreId !== defaultCookieStore) {
+      return false;
+    }
     if (this.isVisibleTab(tabId)) {
       const tab = await this.getTab(tabId);
       if (!tab) {
         return;
       }
+      if (tab.cookieStoreId !== defaultCookieStore) {
+        return false;
+      }
       documentUrl = new URL(tab.url);
       privateBrowsing = tab.incognito;
     } else {
+      // if we were not able to check the cookie store
+      // lets drop this for paranoia sake.
+      if (!('cookieStoreId' in info)) {
+        return false;
+      }
       // browser.tabs.get throws an error for nonvisible tabs (tabId = -1)
       // but some non-visible tabs can make third party requests,
       // ex: Service Workers
       documentUrl = new URL(info.originUrl);
       privateBrowsing = false;
     }
+
     // ignore about:*, moz-extension:*
     // also ignore private browsing tabs
     if (documentUrl.protocol !== 'about:'
diff --git a/manifest.json b/manifest.json
@@ -15,6 +15,7 @@
     "webRequest",
     "<all_urls>",
     "tabs",
+    "cookies",
     "storage",
     "downloads",
     "privacy"
