fix: Refine domain squatting actions and enhance URL allowlist matching#164
Merged
Conversation
The domain squatting result handler in scripts/content.js collapsed the block | warn | log action enum into block vs. everything-else. Because only the 'block' case was checked, the 'log' action fell through to the warning branch: it showed the orange warning banner and recorded every telemetry line (protection event, CIPP report, webhook) as 'warned'. The 'log' action was therefore functionally identical to 'warn'. Resolve the effective action as a real three-state value (block | warn | log) and derive a matching telemetry outcome (blocked | warned | logged). Preserve the semantics that warn logs telemetry and shows a banner, while log logs telemetry only and shows nothing to the user. Warn logs, log does not warn. The detector side (getActionForSeverity in domain-squatting-detector.js) already passed 'log' through intact and is unchanged. Fixes: CyberDrain#161
urlPatternToRegex appended a hard end-anchor to any non-wildcard pattern, so an allowlisted host or root URL only matched the bare root URL and never a real navigated deep link. An admin who allowlisted the exact host of a page (including the protocol-qualified form) still saw that page scanned or blocked, because the actual URL carries a path and the trailing anchor rejected it. Relax only the trailing anchoring: normalize a single trailing slash and tolerate an optional trailing path, query, or fragment. The tolerated remainder must begin with /, ?, or # so suffix tricks such as https://host.evil.com/ still do not match an entry for https://host/. Leading protocol and subdomain tolerance is intentionally out of scope, so bare-domain entries still require the documented https://.../ * form. The change is applied to both copies of urlPatternToRegex (scripts/content.js and options/options.js), which must stay in sync. Fixes: CyberDrain#162
…terns The deep-link matching added for the URL allowlist applied its tolerant trailing matcher to every non-wildcard pattern, which turned path-specific entries into prefix matches. For example an entry for https://host/safe also matched https://host/safe/anything, over-broadening a bypass allowlist entry beyond what the admin intended. Gate the tolerant trailing matcher on host or root URL patterns only (no path segment beyond an optional single trailing slash). A pattern that includes an explicit path now stays an exact match. Host and root URL patterns still match deep links, and suffix or prefix tricks such as https://host.evil.com/ still do not match. Applied to both copies of urlPatternToRegex in scripts/content.js and options/options.js, which must stay in sync. Addresses PR review feedback on #2 (review comments on the urlPatternToRegex suffix handling).
Reflect the three-state detection action shipped in this branch. The log action is now documented as a distinct outcome: the detection is recorded in Activity Logs and sent to reporting and webhooks, but no warning banner and no block are shown to the user. This also corrects the earlier statement that a warning banner is shown regardless of the action setting when page blocking is disabled, which is no longer true for the log action, and updates the inline action comments from 'block or warn' to include 'log'. Refs: CyberDrain#161
Contributor
There was a problem hiding this comment.
Pull request overview
This PR refines the extension’s domain-squatting response handling by treating block / warn / log as distinct outcomes (including a new log-only path), and adjusts URL allowlist pattern-to-regex conversion so host/root patterns match deep links as expected.
Changes:
- Implemented true three-state domain-squatting action handling in
scripts/content.js, ensuringlogemits telemetry only (no banner/overlay). - Updated URL allowlist regex conversion in both
scripts/content.jsandoptions/options.jsso host/root patterns match deep links while explicit-path patterns remain exact matches. - Updated domain squatting documentation to describe
block/warn/logbehavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| scripts/content.js | Adds three-state domain-squatting outcomes and improves allowlist pattern matching for deep links. |
| options/options.js | Keeps the UI-side allowlist pattern-to-regex logic in sync with the content script’s updated matching rules. |
| docs/features/domain-squatting-detection.md | Documents the new log action and clarifies blocking/warning behavior. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Logan Cook <2997336+MWG-Logan@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces more precise and flexible handling of domain squatting detection actions, including better support for "log-only" mode, and improves the accuracy and clarity of allowlist pattern matching. The documentation has been updated to reflect these behavioral changes, and the code now distinguishes between blocking, warning, and silent logging actions, ensuring that user-facing warnings are never shown when "log" is selected.
Domain squatting detection behavior and configuration:
action: "log"option in domain squatting detection, which records detections silently without showing banners or blocking pages. Documentation and configuration instructions have been updated to describe all three possible actions:block,warn, andlog. [1] [2] [3]scripts/content.jsto resolve the effective action as a true three-state value (block,warn,log), ensuring telemetry and user notifications are handled according to the selected action. No warnings or blocks are shown whenlogis selected. [1] [2] [3] [4]Allowlist pattern matching improvements:
options/options.jsandscripts/content.jsfor converting allowlist patterns to regular expressions. Host or root URL patterns now match deep links more intuitively, while patterns with explicit paths remain exact matches, preventing unintended broadening of allowlist entries. [1] [2]Fixes: #161
Fixes: #162