Skip to content

Dev to Main for release update#166

Merged
JohnDuprey merged 35 commits into
mainfrom
dev
Jul 2, 2026
Merged

Dev to Main for release update#166
JohnDuprey merged 35 commits into
mainfrom
dev

Conversation

@Zacgoose

@Zacgoose Zacgoose commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

No description provided.

Zacgoose and others added 30 commits April 8, 2026 22:21
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…main-deployment.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Brian Simpson <50429915+bmsimp@users.noreply.github.com>
…une Step 2

- Setup script: mirror the Format-ArrayLiteral change for scalar
  replacements by adding Format-SingleQuoted and switching all
  string-valued scalar replacements to single-quoted output.
  Prevents \$ / backtick interpolation in user-provided URLs and
  branding fields when generated scripts run.
- Docs: add the missing "Step 2: Create the Win32 App in Intune"
  between packaging and configuration, fixing the 1 -> 3 jump.
Deploy script previously only wrote the toolbar property when
$forceToolbarPin = 1. Flipping the setting from 1 to 0 left a stale
toolbar_pin=force_pinned / toolbar_state=force_shown on devices,
which Detect couldn't reliably catch without causing an infinite
redeploy loop.

Deploy: always write the toolbar property -- pinned values when =1,
default_unpinned / hidden when =0. Matches the CIPP Intune standard.

Detect: add ToolbarPinnedValue / ToolbarUnpinnedValue to the $browsers
array and always verify the toolbar property against the expected
value based on $forceToolbarPin.

Addresses Copilot review comment on toolbar pin drift.
Setup: Apply-Replacements now tracks which patterns were found and
throws a detailed error listing any missing patterns. Previously a
silent miss (e.g., upstream comment reworded) would produce an output
script stuck on defaults. Callers now pass -TemplateName so the error
identifies which template failed.

Detect: convert all remaining bare Test-RegValue calls and bare exit 1
paths to use Test-RegValueWithDetails / Write-DetectionFailure so every
failure mode emits a specific reason on stdout. Affects customBranding,
genericWebhook, genericWebhook/events (incl. count mismatch and
"unexpected events" branches), urlAllowlist (same), and
ExtensionSettings. Admins running the script manually now see exactly
which check failed.

Addresses Copilot review comments on silent replacement failures and
missing diagnostic output.
feat: Add Intune detection and setup scripts for Windows deployment
Introduce .github/workflows/validate-pr.yml to run automated PR checks on dev and main. The workflow includes jobs for linting (ESLint if config present), CodeQL security analysis, JSON manifest and config validation, Conventional Commits PR title validation, and verification reminders when key files (config/ or manifest) change. This centralizes PR gating and developer guidance for releases and security checks.
An example of some deployment methods. If more screenshots or more official language is needed I'd be happy to assist in any way I can!

Signed-off-by: josh-ricketts-enable <91432846+josh-ricketts-enable@users.noreply.github.com>
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>
The domain squatting result handler in scripts/content.js collapsed the block | warn | log action enum into block vs. everything-else. Because only the 'block' case was checked, the 'log' action fell through to the warning branch: it showed the orange warning banner and recorded every telemetry line (protection event, CIPP report, webhook) as 'warned'. The 'log' action was therefore functionally identical to 'warn'.

Resolve the effective action as a real three-state value (block | warn | log) and derive a matching telemetry outcome (blocked | warned | logged). Preserve the semantics that warn logs telemetry and shows a banner, while log logs telemetry only and shows nothing to the user. Warn logs, log does not warn.

The detector side (getActionForSeverity in domain-squatting-detector.js) already passed 'log' through intact and is unchanged.

Fixes: #161
urlPatternToRegex appended a hard end-anchor to any non-wildcard pattern, so an allowlisted host or root URL only matched the bare root URL and never a real navigated deep link. An admin who allowlisted the exact host of a page (including the protocol-qualified form) still saw that page scanned or blocked, because the actual URL carries a path and the trailing anchor rejected it.

Relax only the trailing anchoring: normalize a single trailing slash and tolerate an optional trailing path, query, or fragment. The tolerated remainder must begin with /, ?, or # so suffix tricks such as https://host.evil.com/ still do not match an entry for https://host/. Leading protocol and subdomain tolerance is intentionally out of scope, so bare-domain entries still require the documented https://.../ * form.

The change is applied to both copies of urlPatternToRegex (scripts/content.js and options/options.js), which must stay in sync.

Fixes: #162
…terns

The deep-link matching added for the URL allowlist applied its tolerant trailing matcher to every non-wildcard pattern, which turned path-specific entries into prefix matches. For example an entry for https://host/safe also matched https://host/safe/anything, over-broadening a bypass allowlist entry beyond what the admin intended.

Gate the tolerant trailing matcher on host or root URL patterns only (no path segment beyond an optional single trailing slash). A pattern that includes an explicit path now stays an exact match. Host and root URL patterns still match deep links, and suffix or prefix tricks such as https://host.evil.com/ still do not match. Applied to both copies of urlPatternToRegex in scripts/content.js and options/options.js, which must stay in sync.

Addresses PR review feedback on BezaluLLC#2 (review comments on the urlPatternToRegex suffix handling).
Reflect the three-state detection action shipped in this branch. The log action is now documented as a distinct outcome: the detection is recorded in Activity Logs and sent to reporting and webhooks, but no warning banner and no block are shown to the user.

This also corrects the earlier statement that a warning banner is shown regardless of the action setting when page blocking is disabled, which is no longer true for the log action, and updates the inline action comments from 'block or warn' to include 'log'.

Refs: #161
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Signed-off-by: Logan Cook <2997336+MWG-Logan@users.noreply.github.com>
Zacgoose added 2 commits July 2, 2026 13:59
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>
@Zacgoose Zacgoose requested review from a team and Copilot July 2, 2026 08:42
Zacgoose added 2 commits July 2, 2026 16:42
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the extension’s detection capabilities and enterprise deployment tooling, with a particular focus on (1) new phishing-kit detections/rule behaviors and (2) improved rules refresh behavior and enterprise configuration defaults (notably domain-squatting now defaulting to disabled).

Changes:

  • Add new detection behaviors/rules (AitM origin validation, URL-only phishing indicators, updated allowlist regex anchoring, expanded ruleset content).
  • Rework detection-rules fetching/caching (remote-only persistence, background refresh scheduling, callback hook to re-init dependent subsystems).
  • Expand and modernize enterprise deployment/removal docs and scripts (new Windows setup + detection scripts, removal docs, updated policy defaults), plus a new PR-validation workflow.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
scripts/modules/domain-squatting-detector.js Default domain-squatting enablement now off; runtime config governs enablement.
scripts/modules/detection-rules-manager.js Adds background refresh scheduling, fallback semantics, and update callback wiring.
scripts/modules/config-manager.js Updates default config to disable domain squatting by default.
scripts/content.js Adds AitM blocking-rule type and URL-only indicator pre-check; tweaks allowlist anchoring and domain-squatting action semantics.
scripts/background.js Wires rules-updated callback to reinitialize domain-squatting detector; triggers rules pull on config save.
rules/detection-rules.json Updates rules version/date and adds/extends indicators + blocking rules; updates rogue-apps source URL.
options/options.js Aligns UI and saved config with “enabled only when explicitly true”; keeps allowlist anchoring logic in sync with content script.
enterprise/Setup-Windows-Chrome-and-Edge.ps1 New interactive generator for Intune deployment scripts.
enterprise/Remove-Windows-Chrome-and-Edge.ps1 Simplifies removal by deleting extension-specific registry keys recursively.
enterprise/Detect-Windows-Chrome-and-Edge.ps1 New Intune detection script validating registry state matches expected config.
enterprise/Deploy-Windows-Chrome-and-Edge.ps1 Updates defaults and makes toolbar pin state always written for deterministic detection.
enterprise/Check-Extension-Policy.reg Updates sample policy to reflect domain-squatting default disabled.
enterprise/admx/en-US/Check-Extension.adml Updates policy text to reflect domain-squatting default disabled.
enterprise/macos-linux/README.md Updates documented default for domain-squatting enablement.
enterprise/macos-linux/check-extension-config.mobileconfig Updates sample profile to disable domain squatting by default.
enterprise/firefox/policies.json Updates Firefox enterprise policy defaults for domain squatting.
docs/SUMMARY.md Adds a new “Removal” docs section to the docs navigation.
docs/removal/README.md New removal docs landing page.
docs/removal/windows/README.md New Windows removal docs index.
docs/removal/windows/chrome-edge.md New Chrome/Edge removal doc pointing to uninstall script.
docs/removal/windows/firefox.md New Firefox removal guidance.
docs/features/domain-squatting-detection.md Updates docs for new domain-squatting action semantics and defaults (but still needs alignment with runtime enablement).
docs/deployment/chrome-edge-deployment-instructions/windows/domain-deployment.md Reworks Windows deployment guide to use Win32/Intune script approach + setup script.
docs/deployment/chrome-edge-deployment-instructions/macos.md Expands macOS deployment guidance and includes example snippets (some snippet logic needs correction).
config/managed_schema.json Updates managed-schema defaults and clarifies domain-squatting config/policy semantics.
.github/workflows/validate-pr.yml New PR workflow: lint (if configured), CodeQL, JSON validation, conventional-title validation, and change reminders.
Comments suppressed due to low confidence (1)

scripts/content.js:2775

  • indicator.confidence || 0.5 treats a configured confidence of 0 as falsy and silently upgrades it to 0.5, which inflates scores. Use nullish coalescing so only null/undefined fall back to the default.
          totalScore += scoreWeight * (indicator.confidence || 0.5);

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/features/domain-squatting-detection.md
@Zacgoose Zacgoose changed the title Dev Dev to Main for release update Jul 2, 2026
Signed-off-by: Zacgoose <107489668+Zacgoose@users.noreply.github.com>
@JohnDuprey JohnDuprey merged commit 48ee3d8 into main Jul 2, 2026
10 of 11 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

6 participants