BackgroundPageThumbs uses private browsing when producing thumbnails, but there's currently no test that verifies it. I guess it could work like this: (0) Have an sjs file that the test communicates with. (1) Visit the sjs in a browser tab. The sjs sees that its cookie isn't in the request, so it returns it in the response. (2) Verify that the cookie is in the response. (Or, since the response probably won't be handy and an end-to-end verification is probably better: visit the sjs again. It sees that the cookie is in the request and communicates that back to the test somehow.) (3) Capture the sjs using BackgroundPageThumbs. The sjs sees that its cookie is not in the request and therefore returns a page that's easy to automatically verify -- say, a page that's all green (in addition to responding with the cookie). Verify that the thumbnail written to disk is all green. I wonder what happens if the sjs is then captured again. Ideally the cookie would not be sent in the request, but I think it may be since there's only one temporary cookie store per private-browsing session? I guess it wouldn't matter if that happens in practice, since it seems very unlikely that any real site would be able to reveal anything private about the user in that manner.
(In reply to Drew Willcoxon :adw from comment #0) > I wonder what happens if the sjs is then captured again. Ideally the cookie > would not be sent in the request, but I think it may be since there's only > one temporary cookie store per private-browsing session? Oh, this sucks. If you open a private window, log in to a site, and then use BackgroundPageThumbs to capture the URL, guess what's captured (and not removed when you close the PB window).
Created attachment 756877 [details] [diff] [review] patch