- Skip known CSRF tokens (authenticity_token, csrf_token, etc.) in hidden input scanner
- Ignore GitHub localStorage caches (ref-selector:*, jump_to:*, soft-nav:*, COPILOT_*)
- Skip keyboard shortcut data-attributes (data-hotkey, data-hotkey-scope)
- Fix URL param scanner: use exact match instead of substring to prevent "author" matching "auth"
- Add word boundaries to keyword scanner so "key" doesn't match "hotkey", "monkey", etc.
- Skip camelCase JS identifiers in keyword value matches
- Lower Sentry DSN severity to "low" (public by design)
- Apply same fixes to MutationObserver for SPA consistency
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Prevent fake finding injection via per-session nonce validation between
MAIN world interceptor and ISOLATED world content script
- Fix CSV formula injection in export by sanitizing cell values
- Serialize storage writes to prevent race conditions across tabs
- Cap findings at 5000 with oldest-first eviction
- Delete findings by unique ID instead of URL to avoid collateral removal
- Validate keyword length (50 chars) and count (50 max)
- Add MutationObserver for SPA support (dynamic DOM scanning)
- Add explicit CSP to manifest
- Add per-tab alert icon with red dot overlay when secrets are found
- Migrated to Chrome Manifest V3 with service worker architecture
- 80+ secret detection patterns covering AWS, GCP, Azure, GitHub, GitLab,
Stripe, Slack, Discord, OpenAI, and 30+ other providers
- 10 scanning surfaces: inline scripts, external scripts, meta tags,
hidden inputs, data attributes, HTML comments, URL params, web storage,
cookies, and network response interception
- Shannon entropy analysis for detecting undocumented secret formats
- MAIN world interceptor for XHR/fetch response scanning and window globals
- Professional dark-theme UI with filtering, search, and CSV/JSON export
- Zero dependencies - removed jQuery, Bootstrap, font-awesome, popper
- Proper XSS-safe DOM rendering throughout
- Badge counter on extension icon showing finding count
- All frames scanning including iframes
anthonyonazure