v1.11.0

New Features

• VPN Region Sync — New "Sync with VPN" toggle that detects your public IP, geolocates your VPN exit region, and sets your spoofed location to match. One click, no manual coordinates needed.
• Re-sync — After syncing, a Re-sync button lets you update your spoofed location if you switch VPN servers.
• Info tooltip — ⓘ icon next to the VPN sync toggle explains that it's a one-time sync (not auto-updating) and that Re-sync is needed after changing VPN servers.
• Clear location — New × button on the current location display to quickly clear your spoofed location.

Improvements

• Settings deferral hardening — Geolocation and permissions queries are now deferred until settings arrive from the background script, preventing real location leaks on slow startups.

Documentation

• Rewrote the Development section in README with a clear "two terminals" workflow and a scripts reference table.
• Added package:source to the scripts table.
• Updated Android testing instructions.
• Updated Privacy Policy with VPN sync data disclosure (ipify + FreeIPAPI).

Housekeeping

• Removed unused build:ext / zip script (redundant with package).

v1.10.0

Bug Fixes

• Fixed false orange "!" badge appearing on nearly every page load due to a race condition between the background script and content script initialization
• Badge now retries injection checks with backoff (500ms, 1s, 2s) instead of failing immediately
• Badge automatically recovers to green "✓" when the content script confirms it's active
• Popup injection warning now uses a live PING check instead of reading potentially stale badge text, reducing false warnings on SPA navigations (e.g., YouTube)

v1.9.0
- Android support — GeoSpoof now works on Firefox for Android (120+)
- Responsive popup UI that adapts to mobile screen sizes
- Search results dropdown now opens above the input, improving usability on both desktop and mobile
- Integrated web-ext tooling for building, linting, and packaging
- Note: WebRTC protection toggle is visible on Android but may not be functional due to some platform API limitations

v1.8.0

Changed
- Details tab now shows complete list of overridden APIs grouped by Geolocation, Timezone, and WebRTC
- README rewritten to focus on what APIs get spoofed and how protection works
- Added links to Nominatim and browser-geo-tz in README and privacy policy

v1.7.0

Added
- Timezone resolution using browser-geo-tz geographic boundary data, replacing the GeoNames API
- Longitude-based fallback when timezone data can't be loaded

Removed
- GeoNames API dependency and free-tier account requirement

Improved
- Timezone lookup reliability — no more rate limiting or API downtime issues
- Privacy policy and README updated to reflect new timezone data source

v1.6.0:
- Just a new icon :)

v1.5.0
New: Permissions API Spoofing
- navigator.permissions.query() now returns "granted" for geolocation when spoofing is active, closing a fingerprinting gap where websites could detect spoofed location by checking the permission state.
- Non-geolocation permission queries and all queries when spoofing is disabled pass through to the browser normally.
- The spoofed PermissionStatus object matches the real browser API surface (read-only state, EventTarget support).
- No additional browser permissions required.

Fixes
- Fixed popup Details view not rendering line breaks in the Overridden APIs and other detail sections.
- Package script now auto-formats manifest.json after build.

v1.4.0 — Reliability & correctness improvements

Fixed timezone spoofing for regions that don't observe DST (e.g. Asia/Tokyo, America/Phoenix). Offsets are now resolved using the browser's Intl API instead of heuristics.
Fixed a race condition where geolocation overrides could be installed after page scripts had already run, briefly exposing your real location.
Fixed async message handling to use Firefox's native Promise-based pattern, improving reliability of settings delivery between components.
Internal settings like your GeoNames username are no longer sent to content scripts — only the fields needed for spoofing are broadcast.
Build system now automatically syncs the version between package.json and manifest.json.