/_login and /adfs is missing as exception

[crssi]

Sample: https://partner.microsoft.com/en-US/inspiring-partners/

Cheers

[sblask]

My goal is not to create a global blacklist. Please add those in your preferences.

[crssi]

Understood, but /adfs is always the login for MS private/on premises cloud and it makes breakage for anyone in the enterprise environment.
Its not hard for me to add, which I have already done... my goal is to help you to help more audience.
Its your extension so I will respect your decision, whichever it is and back off to report further findings, if it is not helping you.

Cheers

for quick reference what adfs is:
http://www.dagint.com/how-to-test-if-adfs-is-functioning/
https://en.wikipedia.org/wiki/Active_Directory_Federation_Services

[sblask]

I know what you mean, but even if it you'd provide pullrequests for everything, it's a rabbit hole. Where would I stop?

There is also another issue: if the default blacklist is too long, it becomes hard to understand. I had complaints that some redirects were not skipped even though it would not have been a problem. All because they were on the blacklist. That's why I made the defaults visible and configurable.

It's hard to keep the balance...

[crssi]

I have edited my previous post with links explaining what ADFS is.
I don't expect any further actions. :)
Anyway, your product is great and thank you for providing it. :)

Cheers

[sblask]

@crssi what do you think about #30 ? That could solve your problems too?

[crssi]

Yes, it would greatly enhance limiting false positives and implementing will making your extension more rock solid and reliable and this way "dynamically blacklist" everything from the same origin. So I presume its quite reliable.
As you have already found out "detecting" TLDs can be quite complex.

You can refer to following resources:
https://wiki.mozilla.org/TLD_List which is obsolete, but it leads you to https://publicsuffix.org/ which is initiative of Mozilla and from what I do understand the Mozilla is also using for TLD "detection".

Then you can go further to https://publicsuffix.org/list/ where you have instructions and the link to maintained "database" at https://publicsuffix.org/list/effective_tld_names.dat

IDK which is better approach:

1. Dowloading list from source once and then or manually (similarly gorhill did for uBO and uMatrix for 3rd party filter)
2. Hardcoding the "database" and publish it to AMO eg. once per month as newer version

But I have another idea (CORS), which you can consider... will make one next post about that.

Cheers

[crssi]

CORS way...
NOTE: I am just brainstorming here, so everything here might be very false and must be triple checked.

In case #30 you can see what is happening on a CORS level... inspect header, where you will find:
x-frame-options: "SAMEORIGIN"

So in case we have SAMEORIGIN (and not CROSSORIGIN) within header, you could dynamically blacklist it and skip the "skip redirect" actions.

I am here available for further brainstorming.

Cheers

[crssi]

^^ DOH, did one more tests on some other pages, and it world work for #30 but not everyone is using CORS directives... so this way might be enhancement, but doesn't even remotely cover majority. "TLD detection" is still the way to go,

[sblask]

@crssi let's continue the discussion in #30

[crssi]

ACK :)