- Bump Firefox manifest to 2.1.0 alongside Chrome
- Switch Firefox interceptor injection to loader pattern so the nonce
handoff to content.js works (MAIN-world content script alone has no
documentElement nonce, causing all findings to be rejected)
- Add CSP and web_accessible_resources entries to match Chrome
- Include js/interceptor-loader.js in build.sh shared files
- Ignore dist/ build output
- Skip known CSRF tokens (authenticity_token, csrf_token, etc.) in hidden input scanner
- Ignore GitHub localStorage caches (ref-selector:*, jump_to:*, soft-nav:*, COPILOT_*)
- Skip keyboard shortcut data-attributes (data-hotkey, data-hotkey-scope)
- Fix URL param scanner: use exact match instead of substring to prevent "author" matching "auth"
- Add word boundaries to keyword scanner so "key" doesn't match "hotkey", "monkey", etc.
- Skip camelCase JS identifiers in keyword value matches
- Lower Sentry DSN severity to "low" (public by design)
- Apply same fixes to MutationObserver for SPA consistency
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Prevent fake finding injection via per-session nonce validation between
MAIN world interceptor and ISOLATED world content script
- Fix CSV formula injection in export by sanitizing cell values
- Serialize storage writes to prevent race conditions across tabs
- Cap findings at 5000 with oldest-first eviction
- Delete findings by unique ID instead of URL to avoid collateral removal
- Validate keyword length (50 chars) and count (50 max)
- Add MutationObserver for SPA support (dynamic DOM scanning)
- Add explicit CSP to manifest
- Add per-tab alert icon with red dot overlay when secrets are found
- Change Chrome extension to browser extension throughout
- Add Chrome Web Store and Firefox Add-ons install links
- Add Firefox badge to README header
- Update architecture section with Firefox manifest and build script
- Update installation instructions for both browsers
- Add manifest.firefox.json with gecko-specific settings and background scripts
- Add scripts/build.sh to generate Chrome and Firefox zip packages
- Zero JS changes needed: Firefox 128+ supports chrome.* namespace and world: MAIN
- Closes#10
- Migrated to Chrome Manifest V3 with service worker architecture
- 80+ secret detection patterns covering AWS, GCP, Azure, GitHub, GitLab,
Stripe, Slack, Discord, OpenAI, and 30+ other providers
- 10 scanning surfaces: inline scripts, external scripts, meta tags,
hidden inputs, data attributes, HTML comments, URL params, web storage,
cookies, and network response interception
- Shannon entropy analysis for detecting undocumented secret formats
- MAIN world interceptor for XHR/fetch response scanning and window globals
- Professional dark-theme UI with filtering, search, and CSV/JSON export
- Zero dependencies - removed jQuery, Bootstrap, font-awesome, popper
- Proper XSS-safe DOM rendering throughout
- Badge counter on extension icon showing finding count
- All frames scanning including iframes
moamen