feat: add Selective Allow popup for cross-origin local navigation (#57)#74
Draft
jjk1492 wants to merge 2 commits into
Draft
feat: add Selective Allow popup for cross-origin local navigation (#57)#74jjk1492 wants to merge 2 commits into
jjk1492 wants to merge 2 commits into
Conversation
When an external page links to a local address and the user clicks it,
rather than silently blocking the navigation, a small popup now asks
the user what to do. The popup shows the origin, destination, and
protocol, with three choices:
- Block: dismiss with no state change
- Allow Once: session-only (in-memory Set, cleared on restart)
- Always Allow: persisted as { origin, destination } pairs under
the new cross_origin_allowlist storage key
Sub-resource requests (fetch, XHR, iframes) from external origins to
local addresses remain silently blocked and appear in the existing
blocked-requests list in the popup — they are the actual port-scan
vector and are never prompted.
Saved permissions are manageable from the extension settings page.
Closes ACK-J#57
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
jjk1492
commented
May 9, 2026
- Rename selectiveAllow.js → localRequestSelectiveAllow.js to scope it to the local request blocking feature, keeping the popup extensible - Add file-level and inline comments to localRequestSelectiveAllow.js - Make openSelectiveAllowPopup() generic with an optional `page` param to support any experience in the selectiveAllow/ directory - Add concise block comments to settings.js cross-origin section, matching the existing allowlist comment convention Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
When a page on the internet contains a link to a local address (e.g.
http://localhost:8080), Port Authority blocks the navigation becausewebRequest.onBeforeRequestreports theoriginUrlas the external page, making it look like a port scan. This breaks legitimate workflows: Proxmox consoles, VPN dashboards, local dev server links in documentation, etc.Closes #57. Supersedes #72 (which silently allowed all
main_frameLAN navigations — closed separately).Solution — Selective Allow
Rather than silently blocking or silently allowing, a small popup window asks the user what to do.
Popup shows: external origin, local destination, protocol.
User choices:
Set, clears on restart){ origin, destination }pair in newcross_origin_allowliststorage keySaved permissions can be reviewed and removed from the extension settings page.
Scope
Only
main_frame(user-initiated top-level navigations) get the popup. Sub-resource requests (fetch, XHR, iframes) from external origins to local addresses are still silently blocked and logged in the existing popup blocked-requests list — those are the actual port-scan vectors.Files changed
background.js— session allow set,main_framedetection,allowOnce/alwaysAllowmessage handlersglobal/browserActions.js—openSelectiveAllowPopup()helperselectiveAllow/— new popup page (.html,.js,.css)settings/settings.html+settings/settings.js— UI to manage savedcross_origin_allowlistentriesREADME.md— Selective Allow feature documentation