Skip to content

Dev#165

Closed
Zacgoose wants to merge 32 commits into
mainfrom
dev
Closed

Dev#165
Zacgoose wants to merge 32 commits into
mainfrom
dev

Conversation

@Zacgoose

@Zacgoose Zacgoose commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

No description provided.

Zacgoose and others added 30 commits April 8, 2026 22:21
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…une Step 2

- Setup script: mirror the Format-ArrayLiteral change for scalar
  replacements by adding Format-SingleQuoted and switching all
  string-valued scalar replacements to single-quoted output.
  Prevents \$ / backtick interpolation in user-provided URLs and
  branding fields when generated scripts run.
- Docs: add the missing "Step 2: Create the Win32 App in Intune"
  between packaging and configuration, fixing the 1 -> 3 jump.
Deploy script previously only wrote the toolbar property when
$forceToolbarPin = 1. Flipping the setting from 1 to 0 left a stale
toolbar_pin=force_pinned / toolbar_state=force_shown on devices,
which Detect couldn't reliably catch without causing an infinite
redeploy loop.

Deploy: always write the toolbar property -- pinned values when =1,
default_unpinned / hidden when =0. Matches the CIPP Intune standard.

Detect: add ToolbarPinnedValue / ToolbarUnpinnedValue to the $browsers
array and always verify the toolbar property against the expected
value based on $forceToolbarPin.

Addresses Copilot review comment on toolbar pin drift.
Setup: Apply-Replacements now tracks which patterns were found and
throws a detailed error listing any missing patterns. Previously a
silent miss (e.g., upstream comment reworded) would produce an output
script stuck on defaults. Callers now pass -TemplateName so the error
identifies which template failed.

Detect: convert all remaining bare Test-RegValue calls and bare exit 1
paths to use Test-RegValueWithDetails / Write-DetectionFailure so every
failure mode emits a specific reason on stdout. Affects customBranding,
genericWebhook, genericWebhook/events (incl. count mismatch and
"unexpected events" branches), urlAllowlist (same), and
ExtensionSettings. Admins running the script manually now see exactly
which check failed.

Addresses Copilot review comments on silent replacement failures and
missing diagnostic output.
feat: Add Intune detection and setup scripts for Windows deployment
Introduce .github/workflows/validate-pr.yml to run automated PR checks on dev and main. The workflow includes jobs for linting (ESLint if config present), CodeQL security analysis, JSON manifest and config validation, Conventional Commits PR title validation, and verification reminders when key files (config/ or manifest) change. This centralizes PR gating and developer guidance for releases and security checks.
An example of some deployment methods. If more screenshots or more official language is needed I'd be happy to assist in any way I can!

Signed-off-by: josh-ricketts-enable <91432846+josh-ricketts-enable@users.noreply.github.com>
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>
The domain squatting result handler in scripts/content.js collapsed the block | warn | log action enum into block vs. everything-else. Because only the 'block' case was checked, the 'log' action fell through to the warning branch: it showed the orange warning banner and recorded every telemetry line (protection event, CIPP report, webhook) as 'warned'. The 'log' action was therefore functionally identical to 'warn'.

Resolve the effective action as a real three-state value (block | warn | log) and derive a matching telemetry outcome (blocked | warned | logged). Preserve the semantics that warn logs telemetry and shows a banner, while log logs telemetry only and shows nothing to the user. Warn logs, log does not warn.

The detector side (getActionForSeverity in domain-squatting-detector.js) already passed 'log' through intact and is unchanged.

Fixes: #161
urlPatternToRegex appended a hard end-anchor to any non-wildcard pattern, so an allowlisted host or root URL only matched the bare root URL and never a real navigated deep link. An admin who allowlisted the exact host of a page (including the protocol-qualified form) still saw that page scanned or blocked, because the actual URL carries a path and the trailing anchor rejected it.

Relax only the trailing anchoring: normalize a single trailing slash and tolerate an optional trailing path, query, or fragment. The tolerated remainder must begin with /, ?, or # so suffix tricks such as https://host.evil.com/ still do not match an entry for https://host/. Leading protocol and subdomain tolerance is intentionally out of scope, so bare-domain entries still require the documented https://.../ * form.

The change is applied to both copies of urlPatternToRegex (scripts/content.js and options/options.js), which must stay in sync.

Fixes: #162
…terns

The deep-link matching added for the URL allowlist applied its tolerant trailing matcher to every non-wildcard pattern, which turned path-specific entries into prefix matches. For example an entry for https://host/safe also matched https://host/safe/anything, over-broadening a bypass allowlist entry beyond what the admin intended.

Gate the tolerant trailing matcher on host or root URL patterns only (no path segment beyond an optional single trailing slash). A pattern that includes an explicit path now stays an exact match. Host and root URL patterns still match deep links, and suffix or prefix tricks such as https://host.evil.com/ still do not match. Applied to both copies of urlPatternToRegex in scripts/content.js and options/options.js, which must stay in sync.

Addresses PR review feedback on BezaluLLC#2 (review comments on the urlPatternToRegex suffix handling).
Reflect the three-state detection action shipped in this branch. The log action is now documented as a distinct outcome: the detection is recorded in Activity Logs and sent to reporting and webhooks, but no warning banner and no block are shown to the user.

This also corrects the earlier statement that a warning banner is shown regardless of the action setting when page blocking is disabled, which is no longer true for the log action, and updates the inline action comments from 'block or warn' to include 'log'.

Refs: #161
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Logan Cook <2997336+MWG-Logan@users.noreply.github.com>
Zacgoose added 2 commits July 2, 2026 13:59
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>
@Zacgoose Zacgoose requested review from a team and Copilot July 2, 2026 08:37
@Zacgoose Zacgoose closed this Jul 2, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the extension’s phishing detection pipeline and enterprise deployment experience by expanding detection rules (including AitM + URL-only indicators), improving detection-rules refresh behavior, and aligning domain-squatting defaults/configuration across code and documentation.

Changes:

  • Add new blocking-rule logic for AitM reverse-proxy / off-origin Microsoft marker validation, plus a URL-only indicator pre-check path.
  • Rework detection-rules fetching/caching to avoid persisting bundled fallback rules and to support background refresh + downstream re-init wiring.
  • Add/refresh enterprise deployment + removal scripts and documentation (including new Windows removal docs and an Intune Win32 flow).

Reviewed changes

Copilot reviewed 26 out of 26 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
scripts/modules/domain-squatting-detector.js Changes default domain-squatting enablement and runtime enable semantics.
scripts/modules/detection-rules-manager.js Adds callback wiring, background refresh scheduling, and changes fallback/cache behavior.
scripts/modules/config-manager.js Updates default runtime configuration values for domain squatting.
scripts/content.js Adds new blocking rule type, URL-only indicator pre-check, allowlist regex anchoring tweak, and tri-state squatting actions.
scripts/background.js Wires rules-updated callback and triggers rules refresh on config save.
rules/detection-rules.json Updates rules version/date; adds new elements/indicators and a new AitM blocking rule; updates rogue apps source URL.
options/options.js Aligns domain-squatting enabled semantics and updates allowlist regex anchoring logic.
enterprise/Setup-Windows-Chrome-and-Edge.ps1 New interactive setup script that downloads templates and generates configured deploy/detect scripts.
enterprise/Remove-Windows-Chrome-and-Edge.ps1 Simplifies removal by deleting extension-specific registry keys recursively.
enterprise/macos-linux/README.md Updates documented default for domain-squatting enablement.
enterprise/macos-linux/check-extension-config.mobileconfig Updates managed profile example to disable domain squatting by default.
enterprise/firefox/policies.json Updates Firefox policy example to disable domain squatting by default.
enterprise/Detect-Windows-Chrome-and-Edge.ps1 New Intune detection script validating registry configuration drift.
enterprise/Deploy-Windows-Chrome-and-Edge.ps1 Changes default domain-squatting policy to disabled; always writes toolbar pin state for detection.
enterprise/Check-Extension-Policy.reg Updates sample registry policy to disable domain squatting by default.
enterprise/admx/en-US/Check-Extension.adml Updates policy explain strings to reflect new default disabled state.
docs/SUMMARY.md Adds a new “Removal” section and links.
docs/removal/README.md New top-level removal documentation entry point.
docs/removal/windows/README.md New Windows removal documentation landing page.
docs/removal/windows/chrome-edge.md New Chrome/Edge Windows removal guidance pointing to uninstall script.
docs/removal/windows/firefox.md New Firefox Windows removal guidance.
docs/features/domain-squatting-detection.md Documents tri-state action (block/warn/log) and updated defaults.
docs/deployment/chrome-edge-deployment-instructions/windows/domain-deployment.md Replaces/expands Intune instructions with Win32 packaging + deploy/detect/remove flow.
docs/deployment/chrome-edge-deployment-instructions/macos.md Replaces placeholder with example mobileconfig + CLI snippet guidance.
config/managed_schema.json Changes managed policy schema default for domain squatting to false.
.github/workflows/validate-pr.yml Adds PR validation workflow: lint, CodeQL, JSON “validation”, conventional-title check, and change reminders.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment on lines +194 to +196
this.cachedRules = rules;
this.lastUpdate = 0; // Force next access to re-attempt the remote fetch
this._usingFallback = true;
Comment on lines +208 to +219
// Notify the background-script wiring so dependent subsystems (e.g. the
// domain-squatting detector) can re-initialize with the new rules.
if (typeof this.onRulesUpdated === "function") {
try {
await this.onRulesUpdated(rules);
} catch (callbackError) {
logger.warn(
"onRulesUpdated callback threw:",
callbackError?.message || callbackError
);
}
}

- name: Validate manifest.json
run: |
node -e "require('fs').readFileSync('manifest.json'); console.log('✓ manifest.json is valid JSON')"

- name: Validate Firefox manifest
run: |
node -e "require('fs').readFileSync('manifest.firefox.json'); console.log('✓ manifest.firefox.json is valid JSON')"
Comment on lines +68 to +72
for file in config/*.json rules/*.json; do
if [ -f "$file" ]; then
node -e "require('fs').readFileSync('$file'); console.log('✓ $file is valid JSON')" || exit 1
fi
done
Comment on lines +103 to +113
# If config/branding.json or config/managed_schema.json changed
if git diff origin/main HEAD --name-only | grep -q "^config/"; then
echo "⚠️ Configuration files were modified"
echo "Reminder: Review enterprise/Deploy-Windows-Chrome-and-Edge.ps1 and enterprise/admx/Check-Extension.admx"
fi

# If manifest changed
if git diff origin/main HEAD --name-only | grep -qE "manifest.*\.json"; then
echo "ℹ️ Manifest was modified"
echo "Reminder: Test in both Chrome and Firefox"
fi
Comment on lines +96 to +98
if [[ -d "$chrome_extensions_folder" ]]; then
mkdir -p "$chrome_extensions_folder"
fi
Comment on lines +107 to +110
if [ $# -ne 1 ]; then
echo "Usage: $0 <extension_id>"
exit 1
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants