Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for TLD check and allowing Cross-Origin iframes option #2079

Merged
merged 3 commits into from
Jan 27, 2024
Merged

Add support for TLD check and allowing Cross-Origin iframes option #2079

merged 3 commits into from
Jan 27, 2024

Conversation

varjolintu
Copy link
Member

Adds support for checking Top-Level-Domains from hostnames, and returning a base domain. The implementation is almost similar to KeePassXC's keepassxreboot/keepassxc#9935 that is using a cookie API for TLD's (there's no direct API for it).

If a Cross-Origin iframe is detected, the popup will show a new option:
Screenshot 2024-01-14 at 10 10 45
Pressing the button will add the tab/window URL to Site Preferences and enables the new "Allow Cross-Origin iframes" option.

Content script's isIframeAllowed() now performs the following:

  • Checks if Cross-Origin iframes are allowed by Site Preferences.
  • Checks the base domain of window/iframe using TLD list.
  • Allows the iframe automatically if it's under the same base domain.
  • Disallows iframes that do not match with the tab's/window's URL.

Unit tests are disabled for now, because it's unclear how the background script can be tested with Cookies API enabled. I ran the same tests directly in the background script when making the feature, and all of those passed.

Fixes #2076.

@varjolintu varjolintu added this to the 1.8.12 milestone Jan 14, 2024
@varjolintu varjolintu mentioned this pull request Jan 14, 2024
Closed
@varjolintu
Copy link
Member Author

varjolintu commented Jan 15, 2024
edited
Loading

There are some problems with the automatic subdomain detection with Firefox. Trying to fix it.

EDIT: It's a problem with First-Party Isolation enabled. Seems there might be a bug in Firefox. So this feature will not work for e.g. Tor Browser automatically. User needs to make a manual exception.

@varjolintu varjolintu mentioned this pull request Jan 24, 2024
Closed
@Felix-Official
Copy link

The same problem. How can I get the fixed version?

@varjolintu
Copy link
Member Author

@Felix-Phi What do you mean?

@varjolintu varjolintu mentioned this pull request Jan 26, 2024
Open
droidmonkey
droidmonkey approved these changes Jan 27, 2024
View reviewed changes
Copy link
Member

@droidmonkey droidmonkey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Works perfectly on the test/issue sites

@varjolintu varjolintu merged commit d321dbf into develop Jan 27, 2024
@varjolintu varjolintu deleted the feature/top-level_domain_check branch January 27, 2024 14:37
This was referenced Jan 27, 2024
Closed
Closed
@droidmonkey droidmonkey mentioned this pull request Jan 30, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@droidmonkey droidmonkey droidmonkey approved these changes

Assignees
No one assigned
Labels
new feature
Projects
None yet
Milestone
1.8.12
Development

Successfully merging this pull request may close these issues.

Credential request ignored from another domain
3 participants
@varjolintu @Felix-Official @droidmonkey