shell/window-tracker: Match on WM_CLASS first

Currently our heuristics for matching a window to its app check
for the application ID before the WM_CLASS, as the ID is more
reliable in so far that it is outside the application's control
and so it cannot use it to spoof a different application.

However this also prevents applications with multiple .desktop
files like LibreOffice from matching any .desktop files other
than the one under the main ID.

Since we now no longer allow the WM_CLASS to match a .desktop
file that doesn't belong to the sandboxed application, we can
fix that issue by checking the WM_CLASS first, without opening
the door to spoofing.

https://gitlab.gnome.org/GNOME/gnome-shell/issues/219

src/shell-window-tracker.c

@@ -402,6 +402,13 @@ get_app_for_window (ShellWindowTracker    *tracker,
   if (meta_window_is_remote (window))
     return _shell_app_new_for_window (window);
 
+  /* Check if the app's WM_CLASS specifies an app; this is
+   * canonical if it does.
+   */
+  result = get_app_from_window_wmclass (window);
+  if (result != NULL)
+    return result;
+
   /* Check if the window was opened from within a sandbox; if this
    * is the case, a corresponding .desktop file is guaranteed to match;
    */
@@ -416,13 +423,6 @@ get_app_for_window (ShellWindowTracker    *tracker,
   if (result != NULL)
     return result;
 
-  /* Check if the app's WM_CLASS specifies an app; this is
-   * canonical if it does.
-   */
-  result = get_app_from_window_wmclass (window);
-  if (result != NULL)
-    return result;
-
   result = get_app_from_window_pid (tracker, window);
   if (result != NULL)
     return result;