1. Mozilla
  2. Add-ons
  3. Browser extensions
  4. manifest.json
  5. incognito
View on MDN

incognito

Type String
Mandatory No
Manifest version 2 or higher
Example
json
"incognito": "spanning"
json
"incognito": "split"
json
"incognito": "not_allowed"

Use the incognito key to control how the extension works with private browsing windows.

Note: By default, extensions do not run in private browsing windows. Whether an extension can access private browsing windows is under user control. For details, see Extensions in Private Browsing. Your extension can check whether it can access private browsing windows using extension.isAllowedIncognitoAccess.

This is a string that can take any of these values:

  • "spanning" (the default): the extension sees events from private and non-private windows and tabs. Windows and tabs gets an incognito property in the Window or Tab that represents them. This property indicates whether or not the object is private:

    js
    browser.windows.getLastFocused().then((windowInfo) => {
  console.log(`Window is private: ${windowInfo.incognito}`);
});

  • "split": the extension is split between private and non-private windows. There are effectively two copies of the extension running: one sees only non-private windows, the other sees only private windows. Each copy has isolated access to Web APIs (so, for example, localStorage is not shared). However, the WebExtension API storage.local is shared.

    Note: Firefox doesn't support "split" mode. Extensions that request this option in Firefox are installed using "not_allowed".

  • "not_allowed": private tabs and windows are invisible to the extension.

Privacy considerations

If your extension needs to maintain the privacy expectations of the private browsing mode, omit the incognito key from your manifest.json. Omitting the key preserves the default behavior where the extension doesn't run in private browsing windows.

If your extension uses "spanning" mode to access private and non-private windows, take care not to leak state from private to non-private browsing sessions. A common mistake is sending data from a content script running in a private browsing tab to an external server with a network request made from the background page. Because the background page shares cookies with the main browsing session, this can make private browsing activity linkable to the non-private session.

To avoid this, use credentials: "omit" and cache: "no-cache" in any fetch() calls from the background page that may involve data originating from private browsing windows:

js
fetch(url, {
  credentials: "omit",
  cache: "no-cache",
});

Examples

json
"incognito": "spanning"
json
"incognito": "split"
json
"incognito": "not_allowed"

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on by MDN contributors.

View this page on GitHubReport a problem with this content