Skip to content

feat(content-script): verify against pristine fetched HTML, not the DOM#3

Merged
jt55401 merged 1 commit into
mainfrom
feat/verify-pristine-html
May 14, 2026
Merged

feat(content-script): verify against pristine fetched HTML, not the DOM#3
jt55401 merged 1 commit into
mainfrom
feat/verify-pristine-html

Conversation

@jt55401
Copy link
Copy Markdown
Contributor

@jt55401 jt55401 commented May 14, 2026

Summary

Fixes false-invalid verification on pages whose client-side scripts mutate content inside signed regions after page load.

The most visible case is Hugo Blox's docs theme (used by the project website itself), which injects <button class=\"copy-button\">Copy</button> into every <pre> block on DOMContentLoaded. The signer at build time never sees the button; the verifier reading element.innerHTML does; canonical text diverges; signature reports as invalid despite being mathematically correct. Documented as Known Issue: Runtime DOM Mutation in the spec README.

What changed

autoVerifyPage() now:

  1. Fetches location.href with cache: 'force-cache' (browser HTTP cache hit on the typical post-navigation path)
  2. Extracts every <signed-section> substring from the pristine response via extractSignedSections() (new helper landing in feat(verify): add extractSignedSections helper for pristine-HTML verify htmltrust-browser-client#1)
  3. Position-pairs each pristine slice with the live DOM section by document order, passes the pristine slice (not the DOM element) to verifySignedSection()

The DOM element is still used for UI placement (badge anchor, decoration). Only the bytes fed to canonical-hash computation come from the pristine fetch.

Fallback

Falls back gracefully to per-section DOM verification when:

  • pristine fetch fails (network, HTTP error, CORS)
  • pristine section count ≠ DOM count (page rendered differently between navigation and our fetch, SPA route change, intercepting service worker)

The fallback re-introduces the runtime-mutation false-invalid risk on those pages, but only on those pages, and a console.warn marks the case for debugging.

Depends on

(Already merged that PR locally via the file: dep, so this PR's CI will exercise the new export.)

Test plan

  • npx tsc --noEmit clean
  • existing 7 Jest tests still pass
  • CI green on this PR
  • After both PRs merge + extension rebuilds: load the spec page in the extension and confirm signature shows valid

🤖 Generated with Claude Code

@jt55401 @claude
feat(content-script): verify against pristine fetched HTML, not the DOM
655126b 
Fixes false-invalid verification on pages whose client-side scripts
mutate content inside signed regions after page load. The most
visible case in the wild is Hugo Blox's docs theme, which injects a
<button class="copy-button">Copy</button> into every <pre> block on
DOMContentLoaded — the signer at build time never sees the button,
the verifier reading element.innerHTML does, and the canonical text
diverges. Documented as "Known Issue: Runtime DOM Mutation" in the
spec README.

autoVerifyPage now:

  1. Fetches location.href with cache:'force-cache' (HTTP cache hit
     on the typical post-navigation path; on a fresh load, a small
     duplicate request that origins with sane cache headers serve
     from cache too).
  2. Runs extractSignedSections() on the response body to enumerate
     every <signed-section> in document order from the pristine HTML.
  3. Position-pairs each pristine slice with the live DOM
     <signed-section> by index. The DOM element is still used for
     UI placement (badge anchor, decoration); only the bytes fed to
     verifySignedSection() come from the pristine fetch.

Falls back gracefully to per-section DOM verification when:
  - the pristine fetch fails (network, HTTP error, CORS quirk)
  - the pristine section count doesn't match the DOM count (page
    rendered differently between navigation and our fetch, SPA route
    change, intercepting service worker, runtime sections appended)

The fallback re-introduces the runtime-mutation false-invalid risk
on those pages, but only on those pages, and a console.warn marks
the case so users can report it.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@jt55401 jt55401 merged commit dcc0492 into main May 14, 2026
1 check failed
@jt55401 jt55401 deleted the feat/verify-pristine-html branch May 14, 2026 02:03
@jt55401 jt55401 mentioned this pull request May 14, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jt55401