Add local URL security hints by mortenn · Pull Request #273 · mortenn/BrowserPicker

mortenn · 2026-04-29T19:48:26Z

Summary

Adds local-only URL presentation hints for scheme, registrable domains, IDN/punycode, and Windows file paths in the picker omnibox.
Adds safer remember-default behavior for host vs registrable-domain choices and prevents hostname defaults from matching file URLs.
Adds xUnit v3 coverage for URL presentation/default matching and runs it from CI/PR validation.

Test plan

dotnet test tests/BrowserPicker.Common.Tests/BrowserPicker.Common.Tests.csproj -p:Version=1.0.0 -p:Platform=x64 --no-restore --verbosity minimal
dotnet build src/BrowserPicker.UI/BrowserPicker.UI.csproj -p:Version=1.0.0 -p:Platform=x64 -p:OutputPath=$env:TEMP\BrowserPickerVerify\

Fixes #247

github-actions · 2026-04-29T19:50:20Z

PR Validation

Check	Result
CSharpier	success
XamlStyler	success
dotnet test	success

CSharpier

Output

Checked 62 files in 671ms.

XamlStyler

Output

Checking: src\BrowserPicker.UI\App.xaml
  PASS
Checking: src\BrowserPicker.UI\Resources\ResourceDictionary.xaml
  PASS
Checking: src\BrowserPicker.UI\Views\BrowserEditor.xaml
  PASS
Checking: src\BrowserPicker.UI\Views\BrowserList.xaml
  PASS
Checking: src\BrowserPicker.UI\Views\Configuration.xaml
  PASS
Checking: src\BrowserPicker.UI\Views\ExceptionReport.xaml
  PASS
Checking: src\BrowserPicker.UI\Views\LoadingWindow.xaml
  PASS
Checking: src\BrowserPicker.UI\Views\MainWindow.xaml
  PASS
Checking: src\BrowserPicker.UI\Views\UrlEditor.xaml
  PASS

9 of 9 files pass format check.

dotnet test

Output

  Determining projects to restore...
  Restored D:\a\BrowserPicker\BrowserPicker\dist\Dependent\Dependent.wixproj (in 1.35 sec).
  Restored D:\a\BrowserPicker\BrowserPicker\dist\Portable\Portable.wixproj (in 1.35 sec).
  Restored D:\a\BrowserPicker\BrowserPicker\tests\BrowserPicker.Common.Tests\BrowserPicker.Common.Tests.csproj (in 25.25 sec).
  Restored D:\a\BrowserPicker\BrowserPicker\src\BrowserPicker.Windows\BrowserPicker.Windows.csproj (in 22.05 sec).
  Restored D:\a\BrowserPicker\BrowserPicker\src\BrowserPicker.Common\BrowserPicker.Common.csproj (in 2.89 sec).
  Restored D:\a\BrowserPicker\BrowserPicker\tools\BrowserPicker.SchemaGen\BrowserPicker.SchemaGen.csproj (in 22.05 sec).
  Restored D:\a\BrowserPicker\BrowserPicker\src\BrowserPicker.UI\BrowserPicker.UI.csproj (in 28.16 sec).
  BrowserPicker.Common -> D:\a\BrowserPicker\BrowserPicker\src\BrowserPicker.Common\bin\Debug\net10.0-windows\BrowserPicker.Common.dll
  BrowserPicker.Common.Tests -> D:\a\BrowserPicker\BrowserPicker\tests\BrowserPicker.Common.Tests\bin\x64\Debug\net10.0-windows\BrowserPicker.Common.Tests.dll
Test run for D:\a\BrowserPicker\BrowserPicker\tests\BrowserPicker.Common.Tests\bin\x64\Debug\net10.0-windows\BrowserPicker.Common.Tests.dll (.NETCoreApp,Version=v10.0)
A total of 1 test files matched the specified pattern.
Results File: D:\a\BrowserPicker\BrowserPicker\test-results\dotnet-test.trx

Passed!  - Failed:     0, Passed:    12, Skipped:     0, Total:    12, Duration: 98 ms - BrowserPicker.Common.Tests.dll (net10.0)

Run: PR Validation #24

Derives picker URL presentation locally for scheme, registrable domain, IDN/punycode, and Windows file path hints without contacting the target host. Adds safer remember-default choices, prevents hostname defaults from matching file URLs, tightens picker row/resize behavior, and adds xUnit/CI coverage for the URL parsing rules. Made-with: Cursor

mortenn

overall in good shape, but I have some suggestions and questions.

Pins BrowserPicker workflows to the merged shared workflow update, tightens URL hint tooltips, reduces small XAML duplication, and switches the new tests to AwesomeAssertions. Made-with: Cursor

Pins BrowserPicker workflow wrappers to the merged BrowserPicker.Actions fix for PR validation artifact uploads. Made-with: Cursor

Restores the full URL at the top of the picker tooltip, widens wrapping, and separates it visually from the local hint details. Made-with: Cursor

Adds structured URL tooltip lines so the picker can render muted labels next to normal value text while preserving the full URL header. Made-with: Cursor

Renders hint labels inline with muted styling so long values can wrap across the full tooltip width. Made-with: Cursor

Uses inherited tooltip foreground with semibold labels instead of gray text on a gray tooltip background. Made-with: Cursor

Uses the system highlight brush for tooltip labels so they stay distinct in both dark and light tooltip themes. Made-with: Cursor

mortenn force-pushed the issue-247-local-url-security branch from 7fe26c3 to 3b1ac5f Compare April 29, 2026 19:50

mortenn force-pushed the issue-247-local-url-security branch from 3b1ac5f to 6b5f5bf Compare April 29, 2026 19:54

mortenn commented Apr 29, 2026

View reviewed changes

mortenn added 7 commits April 29, 2026 22:32

Address PR review feedback

d86ec70

Pins BrowserPicker workflows to the merged shared workflow update, tightens URL hint tooltips, reduces small XAML duplication, and switches the new tests to AwesomeAssertions. Made-with: Cursor

Update shared workflow pin

efc53cb

Pins BrowserPicker workflow wrappers to the merged BrowserPicker.Actions fix for PR validation artifact uploads. Made-with: Cursor

Polish URL hint tooltip

0aad823

Restores the full URL at the top of the picker tooltip, widens wrapping, and separates it visually from the local hint details. Made-with: Cursor

Distinguish tooltip labels from values

0845df6

Adds structured URL tooltip lines so the picker can render muted labels next to normal value text while preserving the full URL header. Made-with: Cursor

Relax tooltip hint layout

fff0199

Renders hint labels inline with muted styling so long values can wrap across the full tooltip width. Made-with: Cursor

Use contrast-safe tooltip labels

a0def99

Uses inherited tooltip foreground with semibold labels instead of gray text on a gray tooltip background. Made-with: Cursor

Use theme accent for tooltip labels

42f3c14

Uses the system highlight brush for tooltip labels so they stay distinct in both dark and light tooltip themes. Made-with: Cursor

mortenn merged commit 83caa40 into main Apr 29, 2026
1 check passed

mortenn deleted the issue-247-local-url-security branch April 29, 2026 21:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add local URL security hints#273

Add local URL security hints#273
mortenn merged 8 commits intomainfrom
issue-247-local-url-security

mortenn commented Apr 29, 2026

Uh oh!

github-actions Bot commented Apr 29, 2026 •

edited

Loading

Uh oh!

mortenn left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

mortenn commented Apr 29, 2026

Summary

Test plan

Uh oh!

github-actions Bot commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

PR Validation

CSharpier

XamlStyler

dotnet test

Uh oh!

mortenn left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

github-actions Bot commented Apr 29, 2026 •

edited

Loading