fix: 跨域 API/iframe 响应头不计入本站技术栈

新增可注册域(eTLD+1)判定,公共 CDN、三方服务的 API/iframe 响应头检测结果不再误算进本站技术栈;前后端分离的同站子域仍照常计入。

将版本号提升到 1.3.72。

Author: setube

package.json

@@ -1,7 +1,7 @@
 {
   "name": "stackprism",
   "private": true,
-  "version": "1.3.71",
+  "version": "1.3.72",
   "type": "module",
   "description": "StackPrism 用于检测网页前端、后端、CDN、SaaS、广告营销、统计、登录、支付、网站程序和主题模板线索。",
   "scripts": {

src/background/popup-cache.ts

@@ -14,6 +14,7 @@ import {
 import { loadDetectorSettings, loadTechRules } from './detector-settings'
 import { categoryIndex, confidenceRank } from '@/utils/category-order'
 import { cleanTechnologyUrl } from '@/utils/url'
+import { isSameSite } from '@/utils/domain'
 import { cleanStringArray } from '@/utils/normalize-settings'
 import { normalizeTechName } from '@/utils/tech-name'
 import { checkPageSupport } from '@/utils/page-support'
@@ -241,10 +242,15 @@ const mergeDisplayTechnologyRecords = (items: any[]) => {
 
 const collectRawReferenceTechnologies = (data: any) => {
   const items: any[] = []
+  const pageUrl = data.page?.url || data.dynamic?.url || data.main?.url || ''
   addAllTechnologies(items, data.page?.technologies)
   addAllTechnologies(items, data.main?.technologies)
-  for (const api of data.apis || []) addAllTechnologies(items, api.technologies)
-  for (const frame of data.frames || []) addAllTechnologies(items, frame.technologies)
+  for (const api of data.apis || []) {
+    if (isSameSite(api.url, pageUrl)) addAllTechnologies(items, api.technologies)
+  }
+  for (const frame of data.frames || []) {
+    if (isSameSite(frame.url, pageUrl)) addAllTechnologies(items, frame.technologies)
+  }
   addAllTechnologies(items, data.bundle?.technologies)
   return items
 }
@@ -349,10 +355,14 @@ const shortHostFromUrl = (url: string): string => {
 
 const buildDisplayTechnologies = (data: any, settings: any, suppressMap: Record<string, string[]>) => {
   const all: any[] = []
+  const pageUrl = data.page?.url || data.dynamic?.url || data.main?.url || ''
   addAllTechnologies(all, data.page?.technologies)
   addAllTechnologies(all, data.main?.technologies)
   addAllTechnologies(all, collectHttpProtocolTechs(data))
+  // 跨可注册域的 API / iframe 响应头只代表第三方（公共 CDN、三方服务）自身的基建，
+  // 不算本站技术栈；同站子域（含前后端分离的 api.* 子域）仍计入。
   for (const api of data.apis || []) {
+    if (!isSameSite(api.url, pageUrl)) continue
     addAllTechnologies(
       all,
       (api.technologies || []).map((tech: any) => ({
@@ -362,6 +372,7 @@ const buildDisplayTechnologies = (data: any, settings: any, suppressMap: Record<
     )
   }
   for (const frame of data.frames || []) {
+    if (!isSameSite(frame.url, pageUrl)) continue
     addAllTechnologies(
       all,
       (frame.technologies || []).map((tech: any) => ({
@@ -384,7 +395,6 @@ const buildDisplayTechnologies = (data: any, settings: any, suppressMap: Record<
       source: tech.source || 'JS 版权注释'
     }))
   )
-  const pageUrl = data.page?.url || data.dynamic?.url || data.main?.url || ''
   return filterTechnologiesBySettings(
     suppressSelfHostTechs(
       suppressGenericFrontendLibDuplicates(suppressGenericCdnFallbacks(mergeDisplayTechnologyRecords(all))),

src/utils/domain.ts

@@ -0,0 +1,87 @@
+// 多级公共后缀（eTLD）表：用于把 a.example.co.uk 这类主机名归并到可注册域 example.co.uk。
+// 只收录常见国家/地区的二级后缀，缺失条目会退化成「按末两段判定」——即沿用过滤前的行为，
+// 不会造成误判加剧。命中表里的二级后缀时，可注册域取末三段。
+const MULTI_LABEL_SUFFIXES = new Set(
+  `co.uk org.uk me.uk ltd.uk plc.uk net.uk sch.uk ac.uk gov.uk mod.uk nhs.uk police.uk
+   com.cn net.cn org.cn gov.cn edu.cn ac.cn mil.cn ah.cn bj.cn cq.cn fj.cn gd.cn gs.cn gx.cn
+   gz.cn ha.cn hb.cn he.cn hi.cn hk.cn hl.cn hn.cn jl.cn js.cn jx.cn ln.cn nm.cn nx.cn qh.cn
+   sc.cn sd.cn sh.cn sn.cn sx.cn tj.cn xj.cn xz.cn yn.cn zj.cn mo.cn
+   co.jp or.jp ne.jp ac.jp ad.jp ed.jp go.jp gr.jp lg.jp
+   co.kr or.kr ne.kr re.kr pe.kr go.kr ac.kr hs.kr ms.kr es.kr sc.kr kg.kr
+   com.au net.au org.au edu.au gov.au asn.au id.au
+   com.br net.br org.br gov.br edu.br art.br mil.br
+   com.hk net.hk org.hk edu.hk gov.hk idv.hk
+   com.tw net.tw org.tw edu.tw gov.tw idv.tw game.tw ebiz.tw club.tw
+   co.in net.in org.in gen.in firm.in ind.in gov.in ac.in edu.in res.in
+   co.za net.za org.za gov.za ac.za web.za
+   com.sg net.sg org.sg edu.sg gov.sg per.sg
+   com.ru net.ru org.ru msk.ru spb.ru edu.ru gov.ru int.ru ac.ru
+   com.mx net.mx org.mx edu.mx gob.mx
+   com.tr net.tr org.tr edu.tr gov.tr bel.tr mil.tr k12.tr biz.tr info.tr name.tr
+   com.ua net.ua org.ua edu.ua gov.ua in.ua kiev.ua
+   com.vn net.vn org.vn edu.vn gov.vn biz.vn info.vn name.vn pro.vn
+   com.my net.my org.my edu.my gov.my mil.my name.my
+   com.ph net.ph org.ph edu.ph gov.ph
+   co.id net.id or.id web.id ac.id sch.id go.id my.id biz.id desa.id
+   co.th net.th or.th ac.th go.th in.th mi.th
+   co.il net.il org.il ac.il gov.il k12.il muni.il idf.il
+   co.nz net.nz org.nz govt.nz ac.nz geek.nz school.nz kiwi.nz gen.nz
+   com.pl net.pl org.pl edu.pl gov.pl biz.pl info.pl waw.pl
+   com.ar net.ar org.ar edu.ar gob.ar gov.ar int.ar mil.ar tur.ar
+   com.co net.co org.co edu.co gov.co mil.co
+   com.pk net.pk org.pk edu.pk gov.pk gob.pk
+   com.sa net.sa org.sa edu.sa gov.sa med.sa pub.sa sch.sa
+   com.eg net.eg org.eg edu.eg gov.eg eun.eg sci.eg
+   com.ng net.ng org.ng edu.ng gov.ng
+   co.ke ne.ke or.ke ac.ke go.ke sc.ke me.ke info.ke
+   com.bd net.bd org.bd edu.bd gov.bd ac.bd
+   com.lk net.lk org.lk edu.lk gov.lk ac.lk sch.lk
+   com.np net.np org.np edu.np gov.np
+   co.ir net.ir org.ir ac.ir gov.ir id.ir sch.ir
+   co.ae net.ae org.ae ac.ae gov.ae sch.ae mil.ae
+   com.qa net.qa org.qa edu.qa gov.qa mil.qa sch.qa
+   com.jo net.jo org.jo edu.jo gov.jo mil.jo
+   com.pt edu.pt gov.pt org.pt nome.pt int.pt net.pt publ.pt
+   com.gr edu.gr net.gr org.gr gov.gr
+   com.es org.es gob.es edu.es nom.es
+   asso.fr com.fr gouv.fr nom.fr prd.fr tm.fr
+   gov.it edu.it gov.ie`
+    .split(/\s+/)
+    .filter(Boolean)
+)
+
+const IPV4_RE = /^\d{1,3}(?:\.\d{1,3}){3}$/
+
+const isIpHost = (host: string): boolean => IPV4_RE.test(host) || host.includes(':')
+
+// 把主机名归并到可注册域（eTLD+1）。IP / 单段主机名原样返回。
+export const getRegistrableDomain = (hostname: unknown): string => {
+  const host = String(hostname ?? '')
+    .toLowerCase()
+    .replace(/\.$/, '')
+  if (!host || isIpHost(host)) return host
+  const labels = host.split('.')
+  if (labels.length <= 2) return host
+  const last2 = labels.slice(-2).join('.')
+  if (MULTI_LABEL_SUFFIXES.has(last2)) return labels.slice(-3).join('.')
+  return last2
+}
+
+const registrableDomainFromUrl = (rawUrl: unknown): string => {
+  try {
+    return getRegistrableDomain(new URL(String(rawUrl ?? '')).hostname)
+  } catch {
+    return ''
+  }
+}
+
+// 判断某条请求记录的 URL 是否与页面属于同一可注册域。
+// 页面 URL 不可解析时返回 true（无法比较则不过滤，保持原行为）；
+// 记录 URL 不可解析时返回 false（按第三方处理，避免把外部信号算进本站）。
+export const isSameSite = (recordUrl: unknown, pageUrl: unknown): boolean => {
+  const pageDomain = registrableDomainFromUrl(pageUrl)
+  if (!pageDomain) return true
+  const recordDomain = registrableDomainFromUrl(recordUrl)
+  if (!recordDomain) return false
+  return recordDomain === pageDomain
+}