Support "single-page apps" that divorce location.pathname from main_frame requests

James-E-A / cerdicator

Enhanced TLS indicator with an emphasis on information about the Root Certificate Authority from which the connection's authenticity is derived

https://addons.mozilla.org/en-US/firefox/addon/cerdicator/

1 stars 3 forks source link

Support "single-page apps" that divorce location.pathname from main_frame requests #19

Open James-E-A opened 4 years ago

James-E-A commented 4 years ago

The current code works great for apps that respect the URL metaphor by only using the fragment to represent its internal state (e.g. VMWare ESXi web UI), but breaks down for apps that completely commandeer it via JavaScript (e.g. Discourse, Discord, GitHub)

James-E-A commented 4 years ago

The right(?) way to do this is, I guess:

If we have not yet seen that host on that tab, use it
If the request is main_frame, use it

Tangentially: consider blocking + sounding the alarm on requests which match the hostname, but not the certificate, of the last request in its tab matching the above criteria

@TJesionowski got any ideas?

James-E-A commented 3 years ago

Better yet: figure out whence the data for "what's shown if you click on the lock in the URL bar" is got, especially for PWAs that may run fully-offline.

James-E-A commented 3 years ago

Seems to have been fixed in 3a9048cd26fb08df67797f05214d9af92a4e2dcd when we switched to matching by host instead of whole-URL

James-E-A commented 3 years ago

Nevermind; this is still present for offline PWAs. Does anybody know how to getSecurityInfo() for ServiceWorker-managed requests? (The Security tab in the devtools networkmonitor is populated…)

James-E-A commented 2 years ago

Does anybody know how to getSecurityInfo() for ServiceWorker-managed requests?

No bites yet: https://discourse.mozilla.org/t/getsecurityinfo-for-pwas/81239