FB11654421 - Safari web extension script loaded twice if overlapping domain permissions

[lapcat]

I've tested and reproduced this bug in Safari 16 on both macOS 12.6 and iOS 16.1 (beta).

Steps to reproduce (Mac):

1. Install Tweaks for Twitter: https://apps.apple.com/app/tweaks-for-twitter/id1567751529?mt=12
2. Open Safari
3. Open https://mobile.twitter.com/webkit
4. Click the Tweaks toolbar button and select "Always Allow on This Website"
5. Open https://twitter.com/webkit
6. Click the Tweaks toolbar button and select "Always Allow on This Website"
7. Open https://mobile.twitter.com/webkit again
8. Open the Safari web inspector and verify that two copies of the content script have loaded in the page.

Analysis: In the manifest json file, Tweaks declares the following: "content_scripts": [{ "js": ["script.js"], "matches": ["https://.twitter.com/"] }] So it handles any Twitter URL, mobile or non-mobile. If you give the extension permission to access both mobile.twitter.com and twitter.com, then Safari will load the content script twice when you visit a mobile.twitter.com URL, because it has "double access". This is a bug. The same bug can be triggered on iOS https://apps.apple.com/app/tweaks-for-twitter-mobile/id1582826292?mt=8 with similar though maybe slightly different steps to reproduce, because Twitter often redirects to mobile URLs. You could visit a mobile.twitter.com URL first in Safari, and then go to the Settings app and give Tweaks "Allow" permissions for twitter.com too.