Was reading browse/src/content-security.ts and noticed a potential security gap.
The issue
The blocklist checks use case‑sensitive string inclusion, e.g., if (url.includes(domain)) { and if (contentUrl.includes(domain)) {, which can be bypassed by using uppercase letters in the domain part of a URL.
Where
urlBlocklistFilter in browse/src/content-security.ts
Suggested fix
Perform case‑insensitive matching on the hostname, for example:
import { URL } from 'url';
function domainMatches(urlStr: string, domain: string): boolean {
try {
const hostname = new URL(urlStr).hostname.toLowerCase();
return hostname.includes(domain.toLowerCase());
} catch {
return false;
}
}
// In urlBlocklistFilter replace the checks with:
if (domainMatches(url, domain)) { ... }
if (domainMatches(contentUrl, domain)) { ... }
Happy to open a PR if that would be useful.
I've tried to follow your contribution guidelines — let me know if I've missed anything.
Was reading
browse/src/content-security.tsand noticed a potential security gap.The issue
The blocklist checks use case‑sensitive string inclusion, e.g.,
if (url.includes(domain)) {andif (contentUrl.includes(domain)) {, which can be bypassed by using uppercase letters in the domain part of a URL.Where
urlBlocklistFilterinbrowse/src/content-security.tsSuggested fix
Perform case‑insensitive matching on the hostname, for example:
Happy to open a PR if that would be useful.
I've tried to follow your contribution guidelines — let me know if I've missed anything.