[Bug]: urlAllowlist Not Excluding Domains from Detection #107
Description
Required confirmations before submitting
- I can reproduce this issue on the latest released version of Check.
- I have searched existing issues (both open and closed) to avoid duplicates.
- I am not requesting general support; this is an actual bug report.
Issue Description
We're experiencing an issue where the urlAllowlist policy parameter is not working correctly in the CyberDrain Check extension.
Problem:
The extension shows phishing alerts on https://dash.cloudflare.com/ even though this domain is explicitly configured in our urlAllowlist.
Configuration (verified in chrome://policy/):
- urlAllowlist contains 10 entries including:
• https://dash.cloudflare.com/*
• https://.cloudflare.com/ - customRulesUrl: https://XYZ.com/detection-rules.json (accessible, contains exclusion patterns)
- Extension properly installed via Group Policy
Console Output:
[M365-Protection] 🚨 PHISHING INDICATORS FOUND on non-Microsoft page: 1 threats
[M365-Protection] ⚠� SUSPICIOUS CONTENT: Showing warning for 1 phishing indicators
Steps Taken:
✅ Verified policy configuration in chrome://policy/
✅ Reloaded extension multiple times
✅ Tested different URL patterns
✅ Verified customRulesUrl file is correct and accessible
Question:
Is this a known bug? The urlAllowlist appears in the policy but doesn't prevent the extension from alerting on those domains.
Attempted Fix - ALSO FAILED:
We tried disabling notifications (showNotifications: 0) but the extension continues to show alerts anyway, even though the policy is correctly set to 0 in chrome://policy/. This suggests the extension may not be reading managed storage policies at all.
Extension Version
1.0.7
Rules Version
1.0.6
Relevant Logs / Stack Trace