Incognito permission and risks

[lsd-cat]

In b50ab7a I've enabled the extension in incognito mode. This is required to run in incognito windows, when explicitly enabled, but also in Tor Browser, where incognito is the default mode (though this does not solve all TBB issues yet).

In theory, incognito flag in the manifest supports two modes spanning and split. It seems like spanning is the only supported mode in Firefox (at least for MV2). Spanning means that the execution context is the same for the extension for both incognito and non-incognito windows.

While in TBB this should not be relevant, as everything runs in the incongito context, in normal Firefox this has privacy and tracking implications.

Since WEBCAT caches origins, it's pretty easy to build tracking pages, with a pattern of enrolled domains/origins and then when in incognito verify which ones are cached or not.

At the network level, the webExtension API do not pass information whether a request is from an incognito context or not. The information is available, btu at the tab context. I'm not sure there's an easy fix atm.