Fix/exclusions#2
Open
Logan Cook (MWG-Logan) wants to merge 5 commits into
Open
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the browser extension’s URL allowlist pattern matching and domain-squatting action handling, aiming to make allowlisting deep links more intuitive and to distinguish between squatting outcomes (blocked/warned/logged) more accurately in telemetry and user notifications.
Changes:
- Adjust URL pattern → regex conversion so host/root allowlist patterns can match deep links (paths/queries/fragments).
- Refine domain-squatting action resolution to preserve a true three-state action (
block,warn,log) and emit corresponding telemetry. - Prevent user-facing warnings when the squatting action is configured as
log.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| scripts/content.js | Updates URL allowlist regex suffix behavior and refines domain-squatting action/outcome handling and telemetry. |
| options/options.js | Mirrors the updated URL allowlist pattern → regex conversion logic used by the content script. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Logan Cook (MWG-Logan)
added a commit
that referenced
this pull request
Jul 2, 2026
…terns The deep-link matching added for the URL allowlist applied its tolerant trailing matcher to every non-wildcard pattern, which turned path-specific entries into prefix matches. For example an entry for https://host/safe also matched https://host/safe/anything, over-broadening a bypass allowlist entry beyond what the admin intended. Gate the tolerant trailing matcher on host or root URL patterns only (no path segment beyond an optional single trailing slash). A pattern that includes an explicit path now stays an exact match. Host and root URL patterns still match deep links, and suffix or prefix tricks such as https://host.evil.com/ still do not match. Applied to both copies of urlPatternToRegex in scripts/content.js and options/options.js, which must stay in sync. Addresses PR review feedback on #2 (review comments on the urlPatternToRegex suffix handling).
The domain squatting result handler in scripts/content.js collapsed the block | warn | log action enum into block vs. everything-else. Because only the 'block' case was checked, the 'log' action fell through to the warning branch: it showed the orange warning banner and recorded every telemetry line (protection event, CIPP report, webhook) as 'warned'. The 'log' action was therefore functionally identical to 'warn'. Resolve the effective action as a real three-state value (block | warn | log) and derive a matching telemetry outcome (blocked | warned | logged). Preserve the semantics that warn logs telemetry and shows a banner, while log logs telemetry only and shows nothing to the user. Warn logs, log does not warn. The detector side (getActionForSeverity in domain-squatting-detector.js) already passed 'log' through intact and is unchanged. Fixes: CyberDrain#161
urlPatternToRegex appended a hard end-anchor to any non-wildcard pattern, so an allowlisted host or root URL only matched the bare root URL and never a real navigated deep link. An admin who allowlisted the exact host of a page (including the protocol-qualified form) still saw that page scanned or blocked, because the actual URL carries a path and the trailing anchor rejected it. Relax only the trailing anchoring: normalize a single trailing slash and tolerate an optional trailing path, query, or fragment. The tolerated remainder must begin with /, ?, or # so suffix tricks such as https://host.evil.com/ still do not match an entry for https://host/. Leading protocol and subdomain tolerance is intentionally out of scope, so bare-domain entries still require the documented https://.../ * form. The change is applied to both copies of urlPatternToRegex (scripts/content.js and options/options.js), which must stay in sync. Fixes: CyberDrain#162
…terns The deep-link matching added for the URL allowlist applied its tolerant trailing matcher to every non-wildcard pattern, which turned path-specific entries into prefix matches. For example an entry for https://host/safe also matched https://host/safe/anything, over-broadening a bypass allowlist entry beyond what the admin intended. Gate the tolerant trailing matcher on host or root URL patterns only (no path segment beyond an optional single trailing slash). A pattern that includes an explicit path now stays an exact match. Host and root URL patterns still match deep links, and suffix or prefix tricks such as https://host.evil.com/ still do not match. Applied to both copies of urlPatternToRegex in scripts/content.js and options/options.js, which must stay in sync. Addresses PR review feedback on #2 (review comments on the urlPatternToRegex suffix handling).
8dbef89 to
2722187
Compare
Reflect the three-state detection action shipped in this branch. The log action is now documented as a distinct outcome: the detection is recorded in Activity Logs and sent to reporting and webhooks, but no warning banner and no block are shown to the user. This also corrects the earlier statement that a warning banner is shown regardless of the action setting when page blocking is disabled, which is no longer true for the log action, and updates the inline action comments from 'block or warn' to include 'log'. Refs: CyberDrain#161
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Logan Cook <2997336+MWG-Logan@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request improves the handling of URL pattern matching and domain squatting detection actions, making both systems more robust and user-friendly. The changes ensure that allowlisted host or root URL patterns match deep links more intuitively, and that squatting detection can now distinguish between 'block', 'warn', and 'log' actions, with accurate telemetry and user notifications.
URL Pattern Matching Improvements:
options/options.jsandscripts/content.jsto allow patterns for a host or root URL (with or without a trailing slash) to match any path, query, or fragment, improving allowlisting behavior for deep links. [1] [2]Domain Squatting Detection Enhancements:
'block','warn', and'log', instead of collapsing'log'into'warn'. This clarifies the difference between logging-only (telemetry, no user warning) and warning (telemetry plus banner).blocked,warned, orlogged) in all relevant places. [1] [2]'log', no user notification or warning banner is shown—only telemetry is emitted.Fixes: CyberDrain#161
Fixes: CyberDrain#162