Tracker protection getTabUrl

[jonathanKingston]

Asana Task/Github Issue: N/A

Description

• Replaced the internal getTabURL() function in tracker-protection.js with the shared getTabUrl utility from ../utils.js, removing a duplicate implementation without behavioral change.
• Removed the unused destroy() method from TrackerProtection, as it was dead code and never called.
  These changes address specific PR review comments.

Testing Steps

• Run npm test and verify all unit tests pass.
• Run npm test -- injected/src/features/tracker-protection.js and verify all TrackerResolver specs pass.

Checklist

Please tick all that apply:

• I have tested this change locally
• I have tested this change locally in all supported browsers
• This change will be visible to users
• I have added automated tests that cover this change
• I have ensured the change is gated by config
• This change was covered by a ship review
• This change was covered by a tech design
• Any dependent config has been merged

  

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[github-actions]

Build Branch

Branch	pr-releases/jkt/auto/tracker-protection-gettaburl-5e89
Commit	6dcd3b26ce
Updated	May 29, 2026 at 10:27:58 PM UTC

Static preview entry points

• Docs: docs/index.html
• Static pages: build/integration/pages/index.html
• Integration pages: injected/integration-test/test-pages/index.html

QR codes (mobile preview)

Entry point	QR code
Docs
Static pages
Integration pages

Integration commands

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#pr-releases/jkt/auto/tracker-protection-gettaburl-5e89

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", branch: "pr-releases/jkt/auto/tracker-protection-gettaburl-5e89")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/jkt/auto/tracker-protection-gettaburl-5e89
git -C submodules/content-scope-scripts checkout origin/pr-releases/jkt/auto/tracker-protection-gettaburl-5e89

Pin to exact commit

npm (Android / Extension):

npm i github:duckduckgo/content-scope-scripts#6dcd3b26ce3bad044824047b151affdcbce7f7df

Swift Package Manager (Apple):

.package(url: "https://github.com/duckduckgo/content-scope-scripts.git", revision: "6dcd3b26ce3bad044824047b151affdcbce7f7df")

git submodule (Windows):

git -C submodules/content-scope-scripts fetch origin pr-releases/jkt/auto/tracker-protection-gettaburl-5e89
git -C submodules/content-scope-scripts checkout 6dcd3b26ce3bad044824047b151affdcbce7f7df

[github-actions]

[Beta] Generated file diff

Time updated: Fri, 29 May 2026 22:28:35 GMT

Apple

    - apple/contentScope.js

File has changed

Integration

    - integration/contentScope.js

File has changed

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix prepared a fix for the issue found in the latest run.

• ✅ Fixed: Dead stores left behind after destroy() removal
  • Removed the four dead property assignments (this._originalXHROpen, this._originalXHRSend, this._originalFetch, this._originalImageSrc) that had no remaining readers after the destroy() method was removed.

Or push these changes by commenting:

@cursor push fb9031323f

Preview (fb9031323f)

diff --git a/injected/src/features/tracker-protection.js b/injected/src/features/tracker-protection.js
--- a/injected/src/features/tracker-protection.js
+++ b/injected/src/features/tracker-protection.js
@@ -157,9 +157,6 @@
             }
             return originalSend.apply(this, args);
         };
-
-        this._originalXHROpen = originalOpen;
-        this._originalXHRSend = originalSend;
     }
 
     _setupFetchInterception() {
@@ -183,8 +180,6 @@
             }
             return originalFetch.apply(window, args);
         };
-
-        this._originalFetch = originalFetch;
     }
 
     _setupImageSrcInterception() {
@@ -192,7 +187,6 @@
         const originalDescriptor = Object.getOwnPropertyDescriptor(Image.prototype, 'src');
         if (!originalDescriptor?.get || !originalDescriptor?.set) return;
 
-        this._originalImageSrc = originalDescriptor;
         /** @type {WeakSet<HTMLImageElement>} */
         const imgTracked = new WeakSet();
         const origGet = originalDescriptor.get;

[cursor]

Dead stores left behind after destroy() removal

Low Severity

The destroy() method was removed as dead code, but the instance property assignments it relied on — this._originalXHROpen, this._originalXHRSend, this._originalFetch, and this._originalImageSrc — are still being set in _setupXHRInterception, _setupFetchInterception, and _setupImageSrcInterception. These are now dead stores with no remaining readers.

---

_{Please tell me if this was useful or not with a 👍 or 👎.}

Additional Locations (2)

• injected/src/features/tracker-protection.js#L186-L187
• injected/src/features/tracker-protection.js#L194-L195

 

[jonathanKingston]

@cursoragent fix please

[cursor]

PR already exists and description doesn't need updating. Done.

Removed the four dead stores (this._originalXHROpen, this._originalXHRSend, this._originalFetch, this._originalImageSrc) that were only used by the now-deleted destroy() method. All 166 TrackerResolver specs and unit tests pass.

  

[github-actions]

⚠️ Cursor review was not successful.

This PR requires a manual review and approval from a member of one of the following teams:

• @duckduckgo/content-scope-scripts-owners
• @duckduckgo/apple-devs
• @duckduckgo/android-devs
• @duckduckgo/team-windows-development
• @duckduckgo/extension-owners
• @duckduckgo/config-aor
• @duckduckgo/breakage-aor
• @duckduckgo/breakage

[jonathanKingston]

@cursoragent rebase over main

[cursor]

Rebased onto latest main (9065801dde). The two previous commits collapsed into one clean commit since the dead store removal was folded into the conflict resolution. Consolidated the duplicate ../utils.js imports into a single line. All 152 TrackerResolver specs and unit tests pass.

  

[cursor]

Web Compatibility Assessment

No findings. The changed runtime path replaces the local top-level URL helper with existing getTabUrl() and removes unreachable cleanup/dead-store code; I did not find a new API-surface fidelity, DOM timing, SPA, or platform-compat regression in the changed lines.

Security Assessment

No findings. The shared getTabUrl() keeps the same top-location/referrer/ancestorOrigins fallback model used by the removed helper, and the diff does not relax message-bridge, origin-validation, config-gating, or iframe trust-boundary checks.

Risk Level

Medium Risk: this touches injected tracker-protection URL resolution used for blocking/reporting decisions, but does not add new API hooks, messaging paths, or security-sensitive trust-boundary changes.

Recommendations

No blocking recommendations. Targeted verification passed: npm run build-surrogates --workspace=injected, npm run tsc-strict-core, and npm run test-unit --workspace=injected -- --filter="TrackerProtection".

  

_{Sent by Cursor Automation: Web compat and sec}