Options to Whitelist new domain could allow unintentional unblocking of 'substring' domains
Opened this issue · 0 comments
rolandog commented
Describe the bug
As mentioned in the title, whitelist options could allow the unblocking of substrings; i.e. choosing Unblock the Root Domain (*example.com*) when visiting https://www.example.com, would allow the following domains to not be blocked:
https://bad-website.com/#example.comhttps://typosquatter-example.comhttps://example.community
To Reproduce
Steps to reproduce the behaviour:
- Go to a non-Whitelisted website, e.g. for a full example:
https://subdomain.example.com/path/to/content.html - Click on
tr(trace's add-on button) - Click on
Whitelist - See options:
a. Unblock the Origin URL:https://subdomain.example.com/*
b. Unblock the URL path:*https://subdomain.example.com/path/to*
c. Unblock the Host URL:*subdomain.example.com*
d. Unblock the Root Domain:*example.com*
Screenshots
Here are some screenshots of testing google.com with the 'Unblock the Root Domain' option, as it is currently implemented:
Desktop (please complete the following information):
- OS: Ubuntu 19.10
- Browser: Firefox
- Version 75.0b2 (64-bit)
Additional context
I think the following actions should be taken, but I haven't looked at the domain-matching code yet to verify how domains are matched, and would be matched after the changes.
- For option 4.b, change:
- from:
*https://subdomain.example.com/path/to* - to:
https://subdomain.example.com/path/to/*
- from:
- For option 4.c, change:
- from:
*subdomain.example.com* - to:
subdomain.example.com
- from:
- For option 4.d, change:
- from:
*example.com* - to:
example.com
- from: