Conversation
Better removal script
Docs for removal
…nt of Check extension
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…une Step 2 - Setup script: mirror the Format-ArrayLiteral change for scalar replacements by adding Format-SingleQuoted and switching all string-valued scalar replacements to single-quoted output. Prevents \$ / backtick interpolation in user-provided URLs and branding fields when generated scripts run. - Docs: add the missing "Step 2: Create the Win32 App in Intune" between packaging and configuration, fixing the 1 -> 3 jump.
Deploy script previously only wrote the toolbar property when $forceToolbarPin = 1. Flipping the setting from 1 to 0 left a stale toolbar_pin=force_pinned / toolbar_state=force_shown on devices, which Detect couldn't reliably catch without causing an infinite redeploy loop. Deploy: always write the toolbar property -- pinned values when =1, default_unpinned / hidden when =0. Matches the CIPP Intune standard. Detect: add ToolbarPinnedValue / ToolbarUnpinnedValue to the $browsers array and always verify the toolbar property against the expected value based on $forceToolbarPin. Addresses Copilot review comment on toolbar pin drift.
Setup: Apply-Replacements now tracks which patterns were found and throws a detailed error listing any missing patterns. Previously a silent miss (e.g., upstream comment reworded) would produce an output script stuck on defaults. Callers now pass -TemplateName so the error identifies which template failed. Detect: convert all remaining bare Test-RegValue calls and bare exit 1 paths to use Test-RegValueWithDetails / Write-DetectionFailure so every failure mode emits a specific reason on stdout. Affects customBranding, genericWebhook, genericWebhook/events (incl. count mismatch and "unexpected events" branches), urlAllowlist (same), and ExtensionSettings. Admins running the script manually now see exactly which check failed. Addresses Copilot review comments on silent replacement failures and missing diagnostic output.
feat: Add Intune detection and setup scripts for Windows deployment
Introduce .github/workflows/validate-pr.yml to run automated PR checks on dev and main. The workflow includes jobs for linting (ESLint if config present), CodeQL security analysis, JSON manifest and config validation, Conventional Commits PR title validation, and verification reminders when key files (config/ or manifest) change. This centralizes PR gating and developer guidance for releases and security checks.
An example of some deployment methods. If more screenshots or more official language is needed I'd be happy to assist in any way I can! Signed-off-by: josh-ricketts-enable <91432846+josh-ricketts-enable@users.noreply.github.com>
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>
Update macos.md
The domain squatting result handler in scripts/content.js collapsed the block | warn | log action enum into block vs. everything-else. Because only the 'block' case was checked, the 'log' action fell through to the warning branch: it showed the orange warning banner and recorded every telemetry line (protection event, CIPP report, webhook) as 'warned'. The 'log' action was therefore functionally identical to 'warn'. Resolve the effective action as a real three-state value (block | warn | log) and derive a matching telemetry outcome (blocked | warned | logged). Preserve the semantics that warn logs telemetry and shows a banner, while log logs telemetry only and shows nothing to the user. Warn logs, log does not warn. The detector side (getActionForSeverity in domain-squatting-detector.js) already passed 'log' through intact and is unchanged. Fixes: #161
urlPatternToRegex appended a hard end-anchor to any non-wildcard pattern, so an allowlisted host or root URL only matched the bare root URL and never a real navigated deep link. An admin who allowlisted the exact host of a page (including the protocol-qualified form) still saw that page scanned or blocked, because the actual URL carries a path and the trailing anchor rejected it. Relax only the trailing anchoring: normalize a single trailing slash and tolerate an optional trailing path, query, or fragment. The tolerated remainder must begin with /, ?, or # so suffix tricks such as https://host.evil.com/ still do not match an entry for https://host/. Leading protocol and subdomain tolerance is intentionally out of scope, so bare-domain entries still require the documented https://.../ * form. The change is applied to both copies of urlPatternToRegex (scripts/content.js and options/options.js), which must stay in sync. Fixes: #162
…terns The deep-link matching added for the URL allowlist applied its tolerant trailing matcher to every non-wildcard pattern, which turned path-specific entries into prefix matches. For example an entry for https://host/safe also matched https://host/safe/anything, over-broadening a bypass allowlist entry beyond what the admin intended. Gate the tolerant trailing matcher on host or root URL patterns only (no path segment beyond an optional single trailing slash). A pattern that includes an explicit path now stays an exact match. Host and root URL patterns still match deep links, and suffix or prefix tricks such as https://host.evil.com/ still do not match. Applied to both copies of urlPatternToRegex in scripts/content.js and options/options.js, which must stay in sync. Addresses PR review feedback on BezaluLLC#2 (review comments on the urlPatternToRegex suffix handling).
Reflect the three-state detection action shipped in this branch. The log action is now documented as a distinct outcome: the detection is recorded in Activity Logs and sent to reporting and webhooks, but no warning banner and no block are shown to the user. This also corrects the earlier statement that a warning banner is shown regardless of the action setting when page blocking is disabled, which is no longer true for the log action, and updates the inline action comments from 'block or warn' to include 'log'. Refs: #161
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> Signed-off-by: Logan Cook <2997336+MWG-Logan@users.noreply.github.com>
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the extension’s phishing detection pipeline and enterprise deployment experience by expanding detection rules (including AitM + URL-only indicators), improving detection-rules refresh behavior, and aligning domain-squatting defaults/configuration across code and documentation.
Changes:
- Add new blocking-rule logic for AitM reverse-proxy / off-origin Microsoft marker validation, plus a URL-only indicator pre-check path.
- Rework detection-rules fetching/caching to avoid persisting bundled fallback rules and to support background refresh + downstream re-init wiring.
- Add/refresh enterprise deployment + removal scripts and documentation (including new Windows removal docs and an Intune Win32 flow).
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| scripts/modules/domain-squatting-detector.js | Changes default domain-squatting enablement and runtime enable semantics. |
| scripts/modules/detection-rules-manager.js | Adds callback wiring, background refresh scheduling, and changes fallback/cache behavior. |
| scripts/modules/config-manager.js | Updates default runtime configuration values for domain squatting. |
| scripts/content.js | Adds new blocking rule type, URL-only indicator pre-check, allowlist regex anchoring tweak, and tri-state squatting actions. |
| scripts/background.js | Wires rules-updated callback and triggers rules refresh on config save. |
| rules/detection-rules.json | Updates rules version/date; adds new elements/indicators and a new AitM blocking rule; updates rogue apps source URL. |
| options/options.js | Aligns domain-squatting enabled semantics and updates allowlist regex anchoring logic. |
| enterprise/Setup-Windows-Chrome-and-Edge.ps1 | New interactive setup script that downloads templates and generates configured deploy/detect scripts. |
| enterprise/Remove-Windows-Chrome-and-Edge.ps1 | Simplifies removal by deleting extension-specific registry keys recursively. |
| enterprise/macos-linux/README.md | Updates documented default for domain-squatting enablement. |
| enterprise/macos-linux/check-extension-config.mobileconfig | Updates managed profile example to disable domain squatting by default. |
| enterprise/firefox/policies.json | Updates Firefox policy example to disable domain squatting by default. |
| enterprise/Detect-Windows-Chrome-and-Edge.ps1 | New Intune detection script validating registry configuration drift. |
| enterprise/Deploy-Windows-Chrome-and-Edge.ps1 | Changes default domain-squatting policy to disabled; always writes toolbar pin state for detection. |
| enterprise/Check-Extension-Policy.reg | Updates sample registry policy to disable domain squatting by default. |
| enterprise/admx/en-US/Check-Extension.adml | Updates policy explain strings to reflect new default disabled state. |
| docs/SUMMARY.md | Adds a new “Removal” section and links. |
| docs/removal/README.md | New top-level removal documentation entry point. |
| docs/removal/windows/README.md | New Windows removal documentation landing page. |
| docs/removal/windows/chrome-edge.md | New Chrome/Edge Windows removal guidance pointing to uninstall script. |
| docs/removal/windows/firefox.md | New Firefox Windows removal guidance. |
| docs/features/domain-squatting-detection.md | Documents tri-state action (block/warn/log) and updated defaults. |
| docs/deployment/chrome-edge-deployment-instructions/windows/domain-deployment.md | Replaces/expands Intune instructions with Win32 packaging + deploy/detect/remove flow. |
| docs/deployment/chrome-edge-deployment-instructions/macos.md | Replaces placeholder with example mobileconfig + CLI snippet guidance. |
| config/managed_schema.json | Changes managed policy schema default for domain squatting to false. |
| .github/workflows/validate-pr.yml | Adds PR validation workflow: lint, CodeQL, JSON “validation”, conventional-title check, and change reminders. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+194
to
+196
| this.cachedRules = rules; | ||
| this.lastUpdate = 0; // Force next access to re-attempt the remote fetch | ||
| this._usingFallback = true; |
Comment on lines
+208
to
+219
| // Notify the background-script wiring so dependent subsystems (e.g. the | ||
| // domain-squatting detector) can re-initialize with the new rules. | ||
| if (typeof this.onRulesUpdated === "function") { | ||
| try { | ||
| await this.onRulesUpdated(rules); | ||
| } catch (callbackError) { | ||
| logger.warn( | ||
| "onRulesUpdated callback threw:", | ||
| callbackError?.message || callbackError | ||
| ); | ||
| } | ||
| } |
|
|
||
| - name: Validate manifest.json | ||
| run: | | ||
| node -e "require('fs').readFileSync('manifest.json'); console.log('✓ manifest.json is valid JSON')" |
|
|
||
| - name: Validate Firefox manifest | ||
| run: | | ||
| node -e "require('fs').readFileSync('manifest.firefox.json'); console.log('✓ manifest.firefox.json is valid JSON')" |
Comment on lines
+68
to
+72
| for file in config/*.json rules/*.json; do | ||
| if [ -f "$file" ]; then | ||
| node -e "require('fs').readFileSync('$file'); console.log('✓ $file is valid JSON')" || exit 1 | ||
| fi | ||
| done |
Comment on lines
+103
to
+113
| # If config/branding.json or config/managed_schema.json changed | ||
| if git diff origin/main HEAD --name-only | grep -q "^config/"; then | ||
| echo "⚠️ Configuration files were modified" | ||
| echo "Reminder: Review enterprise/Deploy-Windows-Chrome-and-Edge.ps1 and enterprise/admx/Check-Extension.admx" | ||
| fi | ||
|
|
||
| # If manifest changed | ||
| if git diff origin/main HEAD --name-only | grep -qE "manifest.*\.json"; then | ||
| echo "ℹ️ Manifest was modified" | ||
| echo "Reminder: Test in both Chrome and Firefox" | ||
| fi |
Comment on lines
+96
to
+98
| if [[ -d "$chrome_extensions_folder" ]]; then | ||
| mkdir -p "$chrome_extensions_folder" | ||
| fi |
Comment on lines
+107
to
+110
| if [ $# -ne 1 ]; then | ||
| echo "Usage: $0 <extension_id>" | ||
| exit 1 | ||
| fi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.