Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Case-sensitive domain matching allows blocklist bypass #2190

Description

@asmit25805

Was reading browse/src/content-security.ts and noticed a potential security gap.

The issue

The blocklist checks use case‑sensitive string inclusion, e.g., if (url.includes(domain)) { and if (contentUrl.includes(domain)) {, which can be bypassed by using uppercase letters in the domain part of a URL.

Where

urlBlocklistFilter in browse/src/content-security.ts

Suggested fix

Perform case‑insensitive matching on the hostname, for example:

import { URL } from 'url';

function domainMatches(urlStr: string, domain: string): boolean {
  try {
    const hostname = new URL(urlStr).hostname.toLowerCase();
    return hostname.includes(domain.toLowerCase());
  } catch {
    return false;
  }
}
// In urlBlocklistFilter replace the checks with:
if (domainMatches(url, domain)) { ... }
if (domainMatches(contentUrl, domain)) { ... }

Happy to open a PR if that would be useful.

I've tried to follow your contribution guidelines — let me know if I've missed anything.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions