-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
/_login and /adfs is missing as exception #29
Comments
My goal is not to create a global blacklist. Please add those in your preferences. |
Understood, but /adfs is always the login for MS private/on premises cloud and it makes breakage for anyone in the enterprise environment. Cheers for quick reference what adfs is: |
I know what you mean, but even if it you'd provide pullrequests for everything, it's a rabbit hole. Where would I stop? There is also another issue: if the default blacklist is too long, it becomes hard to understand. I had complaints that some redirects were not skipped even though it would not have been a problem. All because they were on the blacklist. That's why I made the defaults visible and configurable. It's hard to keep the balance... |
I have edited my previous post with links explaining what ADFS is. Cheers |
Yes, it would greatly enhance limiting false positives and implementing will making your extension more rock solid and reliable and this way "dynamically blacklist" everything from the same origin. So I presume its quite reliable. You can refer to following resources: Then you can go further to https://publicsuffix.org/list/ where you have instructions and the link to maintained "database" at https://publicsuffix.org/list/effective_tld_names.dat IDK which is better approach:
But I have another idea (CORS), which you can consider... will make one next post about that. Cheers |
CORS way... In case #30 you can see what is happening on a CORS level... inspect header, where you will find: So in case we have SAMEORIGIN (and not CROSSORIGIN) within header, you could dynamically blacklist it and skip the "skip redirect" actions. I am here available for further brainstorming. Cheers |
^^ DOH, did one more tests on some other pages, and it world work for #30 but not everyone is using CORS directives... so this way might be enhancement, but doesn't even remotely cover majority. "TLD detection" is still the way to go, |
ACK :) |
Sample: https://partner.microsoft.com/en-US/inspiring-partners/
Cheers
The text was updated successfully, but these errors were encountered: