From 448cd3e70d3aecad50b811339d750a071560e451 Mon Sep 17 00:00:00 2001
From: sal <sal@salmutt.dev>
Date: Sun, 1 Mar 2026 16:27:23 -0600
Subject: [PATCH] Keep auth redirects in originating container for session
 isolation

When a tab in a managed container navigates to an auth provider
(accounts.google.com), keep it in the current container instead of
reassigning. This ensures YouTube's Google login cookies stay in the
youtube.com container and aren't visible to drive.google.com.
---
 background.js | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/background.js b/background.js
index f18b907..903f8b0 100644
--- a/background.js
+++ b/background.js
@@ -188,7 +188,16 @@ async function assignTabToContainer(tabId, url, baseDomain) {
         delete pendingTabs[tabId];
         return;
       }
-      // It's our container but wrong domain — reassign to correct container
+      // Tab is in our container navigating to a different domain.
+      // If target is an auth provider, keep in current container so auth
+      // cookies stay isolated (e.g. YouTube login via accounts.google.com
+      // stays in the youtube.com container, not the google.com container)
+      const hostname = extractDomain(url);
+      if (hostname && AUTH_BYPASS_DOMAINS.includes(hostname)) {
+        delete pendingTabs[tabId];
+        return;
+      }
+      // Otherwise reassign to correct container
     }
 
     const newTab = await browser.tabs.create({