Developer explanations
The GPC signals can be broken down into a DOM signal and setting headers. Our DOM signal is being set by a content script that injects a script to set navigator.globalPrivacyControl to true. When a user wishes to opt-in to sales, that specific domain is added to exclude_matches for the content script, resulting in the DOM signal not being added. Our headers are done with an alternative method. Using declarativeNetRequest, we set a static universal rule that adds the Sec-GPC and DNT headers, both with a value of 1. When a user chooses to opt back in, we create a site-specific dynamic rule that immediately removes these headers.
We had an issue open (issue #192) regarding these 3rd party domains not loading properly prior to our 2.0.0 release. We realized that our cache of requests made, which are sent to the popup when it is opened, didn't clear properly when a user navigated to a new site. We ultimately decided to clear this cache by using webNavigation.onBeforeNavigate, since it gets the closest to clearing all the previously collected domains while dropping as few new connections as possible. There are ways of messing with the APIs available to us to better approximate which requests belong to which page, but we decided our solution worked well enough for the time being.