fix: Accept-Language spoofing being skipped for redirect chains from excepted domains

[Copilot]

onBeforeSendHeaders checked both the current host and the stored initialHost against the exception list. Since requestId is shared across an entire redirect chain, if the originating domain was excepted, every subsequent hop silently skipped Accept-Language spoofing — even when redirecting to non-excepted domains.

Changes

• onBeforeSendHeaders: Drop the initialHost exception check; only the current request host determines whether to spoof the header
• Cleanup: Remove now-unused trackedRequest/initialHost variable declarations from the same handler

// Before
if (
  exceptionDomains.has(getRootDomain(host)) ||
  exceptionDomains.has(getRootDomain(initialHost))  // wrong: poisons the entire redirect chain
) { return {}; }

// After
if (exceptionDomains.has(getRootDomain(host))) { return {}; }

onHeadersReceived (redirect blocking) is unchanged — its use of initialHost is correct and intentional.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[MINOR] onBeforeSendHeaders skips Accept-Language spoofing when initial host is excepted, but still processes the redirect chain</issue_title>
<issue_description>Category: bug
Severity: minor
File(s): background.js (onBeforeSendHeaders handler, ~l.130–175)

Description

In onBeforeSendHeaders, the extension returns early (no header modification) when either the current host or the initial host is in the exception list. This is correct for the first request, but during a redirect chain the requestId is reused and the initialHost stored in initialHostByRequest still points to the original (possibly excepted) domain, causing the Accept-Language header to be left unmodified for all subsequent hops — including hops to non-excepted domains.

The same requestId is shared across the entire redirect chain by the WebExtensions API, so an early exception match on the first hop silently disables Accept-Language spoofing for every following hop.

Problematic code example

// background.js
if (
  exceptionDomains.has(getRootDomain(host)) ||
  exceptionDomains.has(getRootDomain(initialHost))  // ← initialHost may be the excepted origin
) {
  return {};  // skips Accept-Language for ALL hops sharing this requestId
}

Suggested fix

Only short-circuit based on the current request host, not the stored initial host, when deciding whether to spoof the Accept-Language header. The initial host check is relevant for redirect blocking (onHeadersReceived), not for header modification.

// onBeforeSendHeaders — check only current host for Accept-Language
if (exceptionDomains.has(getRootDomain(host))) {
  return {};
}

Acceptance criteria

• Navigating from an excepted domain to a non-excepted domain still results in the correct Accept-Language header on the second hop
• Navigating entirely within an excepted domain leaves Accept-Language untouched
• No regression on redirect blocking logic in onHeadersReceived</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [MINOR] onBeforeSendHeaders skips Accept-Language spoofing when initial host is excepted, but still processes the redirect chain #138

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[Copilot]

Pull request overview

Fixes a bug in the background webRequest header handler where Accept-Language spoofing could be unintentionally disabled for an entire redirect chain if the originating (initial) host was on the exception list.

Changes:

• Update onBeforeSendHeaders to consult the exception list using only the current request host (not initialHost).
• Remove now-unused trackedRequest / initialHost variables from onBeforeSendHeaders.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.