Skip to content

feat: add Selective Allow popup for cross-origin local navigation (#57)#74

Draft
jjk1492 wants to merge 2 commits into
ACK-J:mainfrom
jjk1492:fix/selective-allow-57
Draft

feat: add Selective Allow popup for cross-origin local navigation (#57)#74
jjk1492 wants to merge 2 commits into
ACK-J:mainfrom
jjk1492:fix/selective-allow-57

Conversation

@jjk1492

@jjk1492 jjk1492 commented May 9, 2026

Copy link
Copy Markdown
Contributor

Problem

When a page on the internet contains a link to a local address (e.g. http://localhost:8080), Port Authority blocks the navigation because webRequest.onBeforeRequest reports the originUrl as the external page, making it look like a port scan. This breaks legitimate workflows: Proxmox consoles, VPN dashboards, local dev server links in documentation, etc.

Closes #57. Supersedes #72 (which silently allowed all main_frame LAN navigations — closed separately).

Solution — Selective Allow

Rather than silently blocking or silently allowing, a small popup window asks the user what to do.

Popup shows: external origin, local destination, protocol.

User choices:

Button Effect
Block Stays blocked, nothing saved
Allow Once Allowed this browser session (in-memory Set, clears on restart)
Always Allow Saved as { origin, destination } pair in new cross_origin_allowlist storage key

Saved permissions can be reviewed and removed from the extension settings page.

Scope

Only main_frame (user-initiated top-level navigations) get the popup. Sub-resource requests (fetch, XHR, iframes) from external origins to local addresses are still silently blocked and logged in the existing popup blocked-requests list — those are the actual port-scan vectors.

Files changed

  • background.js — session allow set, main_frame detection, allowOnce/alwaysAllow message handlers
  • global/browserActions.jsopenSelectiveAllowPopup() helper
  • selectiveAllow/ — new popup page (.html, .js, .css)
  • settings/settings.html + settings/settings.js — UI to manage saved cross_origin_allowlist entries
  • README.md — Selective Allow feature documentation

When an external page links to a local address and the user clicks it,
rather than silently blocking the navigation, a small popup now asks
the user what to do. The popup shows the origin, destination, and
protocol, with three choices:
  - Block: dismiss with no state change
  - Allow Once: session-only (in-memory Set, cleared on restart)
  - Always Allow: persisted as { origin, destination } pairs under
    the new cross_origin_allowlist storage key

Sub-resource requests (fetch, XHR, iframes) from external origins to
local addresses remain silently blocked and appear in the existing
blocked-requests list in the popup — they are the actual port-scan
vector and are never prompted.

Saved permissions are manageable from the extension settings page.

Closes ACK-J#57

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@jjk1492 jjk1492 marked this pull request as draft May 9, 2026 15:58
@jjk1492 jjk1492 changed the title Add Selective Allow popup for cross-origin local navigation (#57) feat: add Selective Allow popup for cross-origin local navigation (#57) May 9, 2026
Comment thread global/browserActions.js Outdated
Comment thread selectiveAllow/localRequestSelectiveAllow.js
Comment thread selectiveAllow/localRequestSelectiveAllow.js
Comment thread settings/settings.js
Comment thread selectiveAllow/localRequestSelectiveAllow.js
- Rename selectiveAllow.js → localRequestSelectiveAllow.js to scope it
  to the local request blocking feature, keeping the popup extensible
- Add file-level and inline comments to localRequestSelectiveAllow.js
- Make openSelectiveAllowPopup() generic with an optional `page` param
  to support any experience in the selectiveAllow/ directory
- Add concise block comments to settings.js cross-origin section,
  matching the existing allowlist comment convention

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Links to LAN resources from non-LAN pages are treated as portscan attempts

2 participants