Skip to content

fix: Refine domain squatting actions and enhance URL allowlist matching#164

Merged
Zacgoose merged 5 commits into
CyberDrain:devfrom
BezaluLLC:fix/exclusions
Jul 2, 2026
Merged

fix: Refine domain squatting actions and enhance URL allowlist matching#164
Zacgoose merged 5 commits into
CyberDrain:devfrom
BezaluLLC:fix/exclusions

Conversation

@MWG-Logan

@MWG-Logan MWG-Logan commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

This pull request introduces more precise and flexible handling of domain squatting detection actions, including better support for "log-only" mode, and improves the accuracy and clarity of allowlist pattern matching. The documentation has been updated to reflect these behavioral changes, and the code now distinguishes between blocking, warning, and silent logging actions, ensuring that user-facing warnings are never shown when "log" is selected.

Domain squatting detection behavior and configuration:

  • Added support for a new action: "log" option in domain squatting detection, which records detections silently without showing banners or blocking pages. Documentation and configuration instructions have been updated to describe all three possible actions: block, warn, and log. [1] [2] [3]
  • Updated scripts/content.js to resolve the effective action as a true three-state value (block, warn, log), ensuring telemetry and user notifications are handled according to the selected action. No warnings or blocks are shown when log is selected. [1] [2] [3] [4]

Allowlist pattern matching improvements:

  • Refined the logic in both options/options.js and scripts/content.js for converting allowlist patterns to regular expressions. Host or root URL patterns now match deep links more intuitively, while patterns with explicit paths remain exact matches, preventing unintended broadening of allowlist entries. [1] [2]

Fixes: #161
Fixes: #162

MWG-Logan added 4 commits July 1, 2026 21:25
The domain squatting result handler in scripts/content.js collapsed the block | warn | log action enum into block vs. everything-else. Because only the 'block' case was checked, the 'log' action fell through to the warning branch: it showed the orange warning banner and recorded every telemetry line (protection event, CIPP report, webhook) as 'warned'. The 'log' action was therefore functionally identical to 'warn'.

Resolve the effective action as a real three-state value (block | warn | log) and derive a matching telemetry outcome (blocked | warned | logged). Preserve the semantics that warn logs telemetry and shows a banner, while log logs telemetry only and shows nothing to the user. Warn logs, log does not warn.

The detector side (getActionForSeverity in domain-squatting-detector.js) already passed 'log' through intact and is unchanged.

Fixes: CyberDrain#161
urlPatternToRegex appended a hard end-anchor to any non-wildcard pattern, so an allowlisted host or root URL only matched the bare root URL and never a real navigated deep link. An admin who allowlisted the exact host of a page (including the protocol-qualified form) still saw that page scanned or blocked, because the actual URL carries a path and the trailing anchor rejected it.

Relax only the trailing anchoring: normalize a single trailing slash and tolerate an optional trailing path, query, or fragment. The tolerated remainder must begin with /, ?, or # so suffix tricks such as https://host.evil.com/ still do not match an entry for https://host/. Leading protocol and subdomain tolerance is intentionally out of scope, so bare-domain entries still require the documented https://.../ * form.

The change is applied to both copies of urlPatternToRegex (scripts/content.js and options/options.js), which must stay in sync.

Fixes: CyberDrain#162
…terns

The deep-link matching added for the URL allowlist applied its tolerant trailing matcher to every non-wildcard pattern, which turned path-specific entries into prefix matches. For example an entry for https://host/safe also matched https://host/safe/anything, over-broadening a bypass allowlist entry beyond what the admin intended.

Gate the tolerant trailing matcher on host or root URL patterns only (no path segment beyond an optional single trailing slash). A pattern that includes an explicit path now stays an exact match. Host and root URL patterns still match deep links, and suffix or prefix tricks such as https://host.evil.com/ still do not match. Applied to both copies of urlPatternToRegex in scripts/content.js and options/options.js, which must stay in sync.

Addresses PR review feedback on #2 (review comments on the urlPatternToRegex suffix handling).
Reflect the three-state detection action shipped in this branch. The log action is now documented as a distinct outcome: the detection is recorded in Activity Logs and sent to reporting and webhooks, but no warning banner and no block are shown to the user.

This also corrects the earlier statement that a warning banner is shown regardless of the action setting when page blocking is disabled, which is no longer true for the log action, and updates the inline action comments from 'block or warn' to include 'log'.

Refs: CyberDrain#161
Copilot AI review requested due to automatic review settings July 2, 2026 02:50

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refines the extension’s domain-squatting response handling by treating block / warn / log as distinct outcomes (including a new log-only path), and adjusts URL allowlist pattern-to-regex conversion so host/root patterns match deep links as expected.

Changes:

  • Implemented true three-state domain-squatting action handling in scripts/content.js, ensuring log emits telemetry only (no banner/overlay).
  • Updated URL allowlist regex conversion in both scripts/content.js and options/options.js so host/root patterns match deep links while explicit-path patterns remain exact matches.
  • Updated domain squatting documentation to describe block / warn / log behavior.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
scripts/content.js Adds three-state domain-squatting outcomes and improves allowlist pattern matching for deep links.
options/options.js Keeps the UI-side allowlist pattern-to-regex logic in sync with the content script’s updated matching rules.
docs/features/domain-squatting-detection.md Documents the new log action and clarifies blocking/warning behavior.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/features/domain-squatting-detection.md Outdated
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Logan Cook <2997336+MWG-Logan@users.noreply.github.com>
@Zacgoose Zacgoose merged commit e629444 into CyberDrain:dev Jul 2, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants