Fixed

• Firefox TDZ: _contentPrefs declarations hoisted to top of the content script IIFE so early-firing event handlers (copy, click, runtime.onMessage) can no longer reference them before initialization (#298)
• Security: navigate() now enforces the 2000-char URL length cap before parsing
• Security: hostname extraction in the affiliate toast wrapped in safeHostname() — malformed URLs no longer throw inside event handlers

Added

• Static-analysis regression tests asserting _contentPrefs / _contentPrefsPending declarations stay above any reader and within the first 120 lines of cleaner.js

Fixed

• Security: add URL payload length limit, reject non-HTTP schemes, harden sanitizeHTML
• Robustness: cache version counter prevents stale prefs, time-based rewrite loop eviction
• Firefox MV2: shim chrome.runtime.sendMessage, deduplicate browser-polyfill loading
• MutationObserver ping blocking debounced via requestAnimationFrame
• Document silent .catch() handlers in content scripts
• Safe manifest swap script with trap-based restoration

Added

• Automated Firefox AMO submission on tag push
• Automated Chrome Web Store submission on tag push
• README: Chrome Web Store install badge (no longer "Coming soon")

Version 1.9.6

Fixes:
- Click handler no longer intercepts all link clicks. Only intercepts clicks to affiliate store domains. Non-affiliate clicks pass through unmodified, preserving SPA navigation on YouTube, forums, and all other sites.
- Click, copy, and self-clean handlers now check if the extension is enabled before any interception. Extension is fully inert when disabled.
- Prefs loaded eagerly at content script init for synchronous access.

852 passing tests. No permission changes.

Version 1.9.4

Changes in this version:
- Consent gate: extension is now fully disabled (no URL processing, popup blocked, options redirected) until the user accepts the Terms of Use in onboarding. Enforcement points: service-worker.js (handleProcessUrl), popup.js (consent-gate overlay), options.js (redirect), content/cleaner.js (ping blocking).
- 120+ new domain-specific tracking parameters (Amazon, Facebook, TikTok, Google, LinkedIn, Reddit, eBay, YouTube, Spotify, Netflix, NYTimes, BBC, AliExpress, Bing, Yahoo, Twitter/X, Etsy). Sourced from ClearURLs, AdGuard Filter 17, Neat-URL, and Mozilla's built-in strip list.
- 5 new Shopify recommendation tracking params (pr_prod_strat, pr_rec_id, pr_ref_pid, pr_rec_pid, pr_seq) added to global tracking list.
- Fixed: double onboarding tab caused by both onInstalled and fallback IIFE opening tabs. Now uses a dedup flag (openOnboardingOnce).
- Fixed: Promise shim (shimChromePromises in storage.js) was probing each API call by invoking it without a callback. For side-effectful methods like chrome.tabs.create, this executed the action twice. Now detects environment once at startup.

Version 1.9.2

Changes in this version:
- Redesigned onboarding (privacy-first messaging, 3 features)
- Affiliate redirect unwrapping (Awin, Admitad, ShareASale, VigLink, Tradedoubler)
- Strip awc/wt_mc from redirect-based affiliate networks
- Fix collapsible store groups in Settings
- Rename "Report broken site" to "Report a bug or suggest an improvement"
- 730 passing tests

No permission changes from previous version