Privacy Essentials

Recent Commits

• Dax Mobile (27 May 26)

  Update autoconsent to v14.85.0 (#3554) Co-authored-by: muodov <[email protected]>

• Lucas Adamski (27 May 26)

  Bump native-github-asana-sync ref to v2.4 (#3553) Task: https://app.asana.com/1/137249556945/task/1215113750466061 Co-authored-by: Cursor <[email protected]>

• github-actions[bot] (22 May 26)

  Release 2026.5.22 [ci release] (#3550) Co-authored-by: sammacbeth <[email protected]>

• Sam Macbeth (22 May 26)

  Add extension installed flag to homepage visits (#3544) * Add extensioninstalled parameter to homepage visits * Add integration tests * Fixes * Use duckduckgo about page for fingerprint HAR tests (#3545) Co-authored-by: Cursor Agent <[email protected]> * Include the extensioninstalled flag on start and noai homepages too * Share regex between both MV2 and MV3 match methods. * Update tests * Update integration-test/atb.spec.js Co-authored-by: Dave Vandyke <[email protected]> --------- Co-authored-by: Cursor Agent <[email protected]> Co-authored-by: Dave Vandyke <[email protected]>

• Sam Macbeth (18 May 26)

  No AI in Searches toggle on options page (#3439) * Implement SearchChoice component to allow alternative search subdomains to be configured. * Add 'Search page' dropdown to options page Add a new dropdown setting to the extension options page that allows users to choose their preferred DuckDuckGo search page variant: - duckduckgo.com (default) - noai.duckduckgo.com - safe.duckduckgo.com The dropdown updates the 'alternativeSearch' setting, which is consumed by the SearchChoice background component to redirect search queries to the selected subdomain. Changes: - Add alternativeSearch default setting in defaultSettings.js - Add setSetting method and alternativeSearch state to privacy options model - Add search page dropdown to privacy options template - Add change event handler for dropdown in privacy options view - Add dropdown styling (.options-dropdown, .search-page-setting) in options.scss Co-authored-by: Sam Macbeth <[email protected]> * Fix pre-existing prettier formatting in search-choice.js Co-authored-by: Sam Macbeth <[email protected]> * Refine search page dropdown to match existing conventions - Use i18n key (options:searchPageTitle) instead of hardcoded text - Position dropdown with position:absolute + right:14px to align with toggle buttons, removing the flex-based .search-page-setting class - Set select value via jQuery .val() in view setup() instead of fragile nanohtml selected=${bool} attributes in the template - Call rerender() after change for consistency with toggle handlers Co-authored-by: Sam Macbeth <[email protected]> * Move search page dropdown above the Show embedded Tweets setting Co-authored-by: Sam Macbeth <[email protected]> * Fix dropdown overlap: use float instead of absolute positioning The dropdown was absolutely positioned and taken out of the flow, causing the <li> to collapse and the dropdown to overlap the toggle below. Switch to float:right so the dropdown stays in the flow and the <li> naturally expands to contain it. Co-authored-by: Sam Macbeth <[email protected]> * Add padding below dropdown to prevent overlap with toggle The floated dropdown kept the <li> from collapsing, but there was zero gap between consecutive <li> items. The 30px dropdown and 24px toggle on adjacent rows ended up touching. Add overflow:hidden and padding-bottom:8px on the dropdown's <li> to create clear spacing. Co-authored-by: Sam Macbeth <[email protected]> * Replace search page dropdown with No AI Mode toggle Replace the three-option dropdown with a simple toggle switch that maps to the alternativeSearch setting: off='', on='noai'. This uses the same toggle pattern as every other setting on the page, removing all dropdown-specific code (CSS, _changeSetting handler, setSetting model method, .options-dropdown and .options-dropdown-li styles). Co-authored-by: Sam Macbeth <[email protected]> * Remove Show embedded Tweets toggle from options page Co-authored-by: Sam Macbeth <[email protected]> * Add integration tests for search choice redirect Tests verify that: - Search URLs are redirected to noai.duckduckgo.com when enabled - No redirect occurs when the setting is disabled - start.duckduckgo.com is also redirected - Non-search pages (e.g. /about) are not redirected Co-authored-by: Sam Macbeth <[email protected]> * Fix race condition between ATB and search-choice redirects The old implementation used webNavigation.onBeforeNavigate + tabs.update to redirect search URLs. This raced with ATB's redirect mechanisms: - MV3: ATB's DNR rule and search-choice's tabs.update are independent; the DNR redirect could commit before tabs.update, causing a double navigation with a visible flash of the wrong page. - MV2: ATB's webRequest.onBeforeRequest redirect and the onBeforeNavigate tabs.update operated at different pipeline stages, racing similarly. The fix moves the search-choice redirect into the same mechanism as ATB: - MV2: applySearchChoice() is called in before-request.js alongside ATB.addParametersMainFrameRequestUrl(), composing both hostname rewrite and ATB param in a single { redirectUrl }. - MV3: A combined DNR rule (ALTERNATIVE_SEARCH_RULE_ID) handles both the hostname transform and ATB param injection atomically. It runs at higher priority (2000001) than ATB's standalone rule (2000000) so it takes precedence when active. When disabled, ATB's rule handles params by itself. The rule is kept in sync via onSettingUpdate listeners for both 'alternativeSearch' and 'atb'. Co-authored-by: Sam Macbeth <[email protected]> * Move search redirect to be a separate DNR rule Prevents redirect of chrome_newtab navigations. * Make mv2 redirect criteria more explicit * Add description text below No AI Mode toggle Wraps the toggle in a heading + paragraph layout matching the GPC section style. Adds placeholder description text via i18n key noAiModeDesc. Co-authored-by: Sam Macbeth <[email protected]> * Settings design tweaks * Standardize heading spacing across all options page sections - Remove .options-content__gpc-enabled margin/h2 padding overrides that gave GPC 20px top padding vs the 14px default. - Remove .fire-title padding-top:0 override so Fire Button heading gets the same 14px top padding as all other sections. - All section headings now use the base .menu-title padding (14px 0) uniformly, with consistent divider spacing from .divider-bottom. - Skip start.duckduckgo.com integration test on MV3 (Playwright context routes intercept before DNR can redirect). Co-authored-by: Sam Macbeth <[email protected]> * Skip start.duckduckgo.com redirect test on all manifest versions Playwright's context.route() intercepts before both DNR (MV3) and webRequest (MV2) can redirect, not just MV3. Co-authored-by: Sam Macbeth <[email protected]> * Match design: rename to 'No AI in Searches', reorder sections - Rename toggle label from 'No AI Mode' to 'No AI in Searches' per design. - Move Unprotected Sites section above Email Protection to match design ordering: GPC > No AI > Fire Button > Unprotected Sites > Email. Co-authored-by: Sam Macbeth <[email protected]> * Add divider below Unprotected Sites section Co-authored-by: Sam Macbeth <[email protected]> * Reduce spacing between GPC bullet points and following paragraph Co-authored-by: Sam Macbeth <[email protected]> * Fix allowlist float containment blocking clicks on next section The allowlist 'Add' button and input use float-left/float-right but their parent <div> didn't contain the floats. After reordering sections, the Email Protection heading overlapped the floated elements, intercepting pointer events. Add overflow:hidden on the wrapper to establish a BFC that contains the floats. Co-authored-by: Sam Macbeth <[email protected]> * Fix double divider when Fire Button / YouTube sections are hidden Hidden sections (Fire Button on Firefox, YouTube when CTL disabled) had divider-bottom class even when hidden, and the outer wrapper also had divider-bottom. Now hidden sections get only is-hidden (no divider-bottom), and the outer wrapper has no divider class. Co-authored-by: Sam Macbeth <[email protected]> * Updated copy * Clean up the old search-choice component. * Lint fix * Review fixes * Remove test * Integration tests for alternative search redirects. * Fix ATB unit-test mock parameter de-structuring * Update settings link color * Fix section spacing * Use a single boolean setting for no-AI search, to better align with the UI. * Remove redundant requestDomains condition. * Use shared helper for AI search helper * Make setUseNoAiSearch helper more robust * Make MV2 and MV3 behavior consistent. * Lint fix * Also check ATB is correct * Fix test import * Fix helper import * Fix test eval * Fix test assertions * Ensure only the main SERP is redirected by the MV3 rule * Anchor regex filter * Update shared/js/background/atb.js Co-authored-by: Dave Vandyke <[email protected]> * AI settings translations * Fix translations missing spaces --------- Co-authored-by: Cursor Agent <[email protected]> Co-authored-by: Dave Vandyke <[email protected]>

• Dave Vandyke (15 May 26)

  Fix another flake with the click-attribution integration tests (#3542)

• Dave Vandyke (15 May 26)

  Properly anchor the getSpecialDomain() localhost checks (#3541) The `127.0.0.1` and `0.0.0.0` regexes in `getSpecialDomain()` weren't properly anchored, and so could match a hostname like `127.0.0.1.evil.example`. Let's fix that.

• Dave Vandyke (07 May 26)

  Correct the ServiceWorker initiated request blocking tests (#3530) The integration test that checks ServiceWorker initiated requests are allowed when an exception is active, was for some reason asserting that the requests should be blocked. That was causing the tests to fail when run with the WIP Firefox test runner. The test was passing on Chrome since the standard Playwright harness doesn't surface the events for those requests.

• Dax Mobile (07 May 26)

  Update autoconsent to v14.77.1 (#3532) Co-authored-by: muodov <[email protected]>

• Sam Macbeth (07 May 26)

  Update extension name in all locales. (#3529)

• Sam Macbeth (07 May 26)

  Remove deep-freeze dependency from store (#3515) Co-authored-by: Cursor Agent <[email protected]>

• Dave Vandyke (06 May 26)

  Fix flake in the request blocking integration tests (#3521) One of the assertions in the request blocking tests was flaking sometimes since it depended on the order that request events were being fired, which sometimes varies. Let's adjust that, so that it will pass more reliably.

• Dave Vandyke (06 May 26)

  Switch ATB integration tests to use logPageRequests helper (#3519) Update the ATB integration tests to use the logPageRequests helper. All integration tests that observe requests should use those helpers, so that when we add the Firefox test harness they can continue to work.

• Dave Vandyke (06 May 26)

  Adjust the integration test blocklist for Click to Load (#3518) The Click to Load feature works by blocking embedded content and replacing it with a placeholder that allows the user to click to load it. That way, the idea was to protect the user's privacy while still giving them the option to view such embedded content if they need to. Some requests continue to be blocked even after the user clicks to load embedded content, for example some pixel/analytics requests. The integration tests for Facebook Click to Load were checking that no further Facebook requests were blocked after the placeholder was clicked, but they didn't consider the pixel requests that we always expect to be blocked. Those tests happened to pass anyway, since the Facebook script requests were stubbed with routeFromLocalhost and so the subsequent pixel requests weren't being made (and therefore weren't being blocked). Unfortunately however, for the WIP Firefox test harness we don't have routeFromLocalhost and so the real script is loading and those pixel requests are therefore blocked. For now, let's remove those pixel requests from the test blocklist used by the integration tests, so that the tests can pass on Firefox as well. Note: This blocklist is only used by the integration tests, and does not impact which requests are blocked for users.

• Dave Vandyke (06 May 26)

  Ensure urlParametersRemoved flag is preserved for tabs reliably (#3517) The tracking parameter protection feature takes care to strip common tracking parameters from URLs, to help reduce their use in tracking the user. When tracking parameters have been stripped, we set the urlParametersRemoved flag for the current tab, so that if the user then reports a website as being broken, we can see that the feature was active for it. That way, we can work to improve the rules so that the feature doesn't break websites. It turned out that on Firefox this flag wasn't being preserved correctly, as the navigation and request events fire in a slightly different order. Instead of `webNavigation.onBeforeNavigate` firing before `webRequest.onBeforeRequest` for navigations like is expected on Chrome, we found the opposite on Firefox. That was causing the integration tests for the feature to fail on Firefox. To fix this, we needed to make two changes. Firstly, we needed to set the flag as a persistent Tab property, as it can be set _before_ the latest Tab Object's creation. Secondly, we needed to better differentiate when parameters need to be stripped vs when they were just stripped to avoid a redirect loop in Firefox given the event order.

• github-actions[bot] (04 May 26)

  Release 2026.5.4 [ci release] (#3528) Co-authored-by: sammacbeth <[email protected]>

• Sam Macbeth (04 May 26)

  Remove emoji from extension description in all locales (#3527)

• Dave Vandyke (29 Apr 26)

  Add integration tests for the Playwright test harness (#3516) Our integration tests run using Playwright and our test harness. Let's add some integration test cases that check the Playwright harness is working correctly, that way we can check essential things like evaluation code in the extension's background, intercepting requests and overriding the extension's config works reliably. This should give us more confidence in the existing Chrome test harness code, and will also help us when we come to add the Firefox test harness.

• Dave Vandyke (29 Apr 26)

  Remove productSub assertion from fingerprinting integration tests (#3513) The anti-fingerprinting integration tests check that certain values that are sometimes misused for fingerprinting are correctly sanitised by the content-scope-scripts protections. Let's remove the `navigator.productSub` assertion, since: a. The value differs for Firefox vs Chrome, and so will require changes when we get the tests running against Firefox. b. The content-scope-scripts fingerprint protections don't actually change the productSub value anyway. c. The tests (including the productSub) check are duplicated in the content-scope-scripts repository[1] as well. 1 - https://github.com/duckduckgo/content-scope-scripts/blob/main/injected/integration-test/fingerprint.spec.js

• github-actions[bot] (28 Apr 26)

  Release 2026.4.28 [ci release] (#3514) Co-authored-by: sammacbeth <[email protected]>

• Dave Vandyke (27 Apr 26)

  Split out pixel suffix logic from the integration tests (#3512) Some of the integration tests verify that the expected pixel requests are firing correctly, including that the "_extension_BROWSER" suffix was included in the name. So far, the browser part was hardcoded to "_chrome" in the tests as they only ran against Chrome. Now that we are working to get them running against Firefox as well, let's split out the pixel suffix logic into the helper.

• Sam Macbeth (27 Apr 26)

  Update store descriptions. (#3511) * Update store descriptions. * Fix extra string spacing

• dependabot[bot] (23 Apr 26)

  Bump actions/checkout from 4 to 6 (#3382) Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 6. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v4...v6) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jonathan Kingston <[email protected]>

• Dax Mobile (22 Apr 26)

  Update autoconsent to v14.74.0 (#3505) Co-authored-by: muodov <[email protected]>

• Sam Macbeth (22 Apr 26)

  Bump @duckduckgo/privacy-dashboard to 9.10.1 (#3488)

• Sam Macbeth (21 Apr 26)

  test: mock duckduckgo page in fire-button integration spec (#3503) Co-authored-by: Cursor Agent <[email protected]>

• Dax Mobile (21 Apr 26)

  Update autoconsent to v14.71.0 (#3496) Co-authored-by: muodov <[email protected]> Co-authored-by: Maxim Tsoy <[email protected]>

• Maxim Tsoy (20 Apr 26)

  Update Facebook SDK schema to include FedCM API (#3477) Facebook added FedCM (Federated Credential Management) support to their JS SDK with three new methods: getProviderConfig, isSupported, and processCredential. This is part of the FedCM web standard for federated login without third-party cookies. No surrogate script changes needed in this repo — the surrogate lives in content-scope-scripts. The FedCM methods are new additions that don't affect the existing surrogate's ability to prevent tracking. A follow-up in content-scope-scripts may be needed to add FedCM stubs to the surrogate if sites start depending on them. Co-authored-by: Cursor Agent <[email protected]>

• Dax Mobile (31 Mar 26)

  Update autoconsent to v14.67.0 (#3482) Co-authored-by: muodov <[email protected]>

• Maxim Tsoy (31 Mar 26)

  Fix disabled-for-site pixel in CPM (#3476) * Fix disabled-for-site pixel firing from every frame instead of main frame only The 'disabled-for-site' pixel was being fired for every frame (main + all iframes) that sent an 'init' message when autoconsent was disabled for a site. This is inconsistent with the 'init' pixel which is correctly guarded by an isMainFrame check. Since pages typically have many iframes (ads, trackers, embeds), this caused the 'disabled' event count to be ~35x higher than expected compared to the native implementation which only fires once per page. Add the same isMainFrame guard to the disabled-for-site pixel that already protects the init pixel. Co-authored-by: Maxim Tsoy <[email protected]> * Add unit tests for disabled-for-site pixel main-frame guard Tests verify that: - disabled-for-site pixel fires for main frame (frameId=0) - disabled-for-site pixel does NOT fire for subframes - only one pixel fires when main frame + multiple subframes all send init - summaryEvents counts disabled-for-site exactly once - init pixel also only fires for main frame (existing behavior) Co-authored-by: Maxim Tsoy <[email protected]> * Fix prettier formatting in cookie-prompt-management tests Co-authored-by: Maxim Tsoy <[email protected]> --------- Co-authored-by: Cursor Agent <[email protected]>