feat: HTTP 协议版本改走 webRequest statusLine

之前 HTTP/2 / HTTP/3 仅靠注入脚本读 PerformanceResourceTiming.nextHopProtocol，但跨域资源没有 Timing-Allow-Origin 时浏览器会把 nextHopProtocol 置空（abs.twimg.com 等典型情况），同时还要等资源完成加载，时序不稳定。改成在 service worker 的 webRequest.onHeadersReceived 里从 statusLine 正则提取 HTTP/<version>，存到 headerRecord.httpProtocol，再在 popup 合并阶段扫主请求 / API / iframe 三处记录汇总。注入脚本的 nextHopProtocol 兜底保留，两路一起命中合并不变。

将版本号提升到 1.3.44。

Author: setube

package.json

@@ -1,7 +1,7 @@
 {
   "name": "stackprism",
   "private": true,
-  "version": "1.3.43",
+  "version": "1.3.44",
   "type": "module",
   "description": "StackPrism 用于检测网页前端、后端、CDN、SaaS、广告营销、统计、登录、支付、网站程序和主题模板线索。",
   "scripts": {

src/background/headers.ts

@@ -240,6 +240,13 @@ const sanitizeAllHeaders = (headers: Record<string, string>) => {
   return out
 }
 
+// 从 webRequest 的 statusLine 拿协议版本 — "HTTP/2 200" / "HTTP/3 200" 这种
+// 比 PerformanceResourceTiming.nextHopProtocol 可靠：不需要 Timing-Allow-Origin，请求时刻就拿到
+const extractHttpProtocol = (statusLine: unknown): string => {
+  const match = /^HTTP\/([0-9.]+)/i.exec(String(statusLine || ''))
+  return match ? match[1].toLowerCase() : ''
+}
+
 export const buildHeaderRecord = (details: any, headerRules: any, settings: any) => {
   const normalizedHeaders = normalizeHeaders(details.responseHeaders)
   const headers = pickHeaders(normalizedHeaders, headerRules.interestingHeaders || [])
@@ -249,6 +256,7 @@ export const buildHeaderRecord = (details: any, headerRules: any, settings: any)
     type: details.type,
     method: details.method,
     statusCode: details.statusCode,
+    httpProtocol: extractHttpProtocol(details.statusLine),
     time: Date.now(),
     headers,
     allHeaders: sanitizeAllHeaders(normalizedHeaders),

src/background/popup-cache.ts

@@ -267,10 +267,59 @@ const suppressSelfHostTechs = (technologies: any[], pageUrl: string, suppressMap
   return technologies.filter(tech => !suppressNames.has(String(tech?.name || '')))
 }
 
+// 从所有 webRequest 记录里收集 HTTP 协议版本，比注入脚本里读 PerformanceResourceTiming.nextHopProtocol
+// 可靠得多——跨域资源没有 Timing-Allow-Origin 时浏览器把 nextHopProtocol 置空，而 statusLine 是请求发起时浏览器自己写的
+const collectHttpProtocolTechs = (data: any): any[] => {
+  const protocols = new Set<string>()
+  const sampleByProto = new Map<string, string>()
+  const consume = (record: any) => {
+    const proto = String(record?.httpProtocol || '').toLowerCase()
+    if (!proto) return
+    protocols.add(proto)
+    if (!sampleByProto.has(proto)) sampleByProto.set(proto, String(record?.url || ''))
+  }
+  consume(data?.main)
+  for (const api of data?.apis || []) consume(api)
+  for (const frame of data?.frames || []) consume(frame)
+  const out: any[] = []
+  const has3 = ['3', '3.0', 'h3'].some(v => protocols.has(v))
+  const has2 = ['2', '2.0', 'h2', 'h2c'].some(v => protocols.has(v))
+  if (has3) {
+    out.push({
+      category: '安全与协议',
+      name: 'HTTP/3',
+      confidence: '高',
+      evidence: [`资源使用 HTTP/3 协议（如 ${shortHostFromUrl(sampleByProto.get('3') || sampleByProto.get('h3') || '')}）`],
+      source: '响应头'
+    })
+  }
+  if (has2) {
+    out.push({
+      category: '安全与协议',
+      name: 'HTTP/2',
+      confidence: '高',
+      evidence: [
+        `资源使用 HTTP/2 协议（如 ${shortHostFromUrl(sampleByProto.get('2') || sampleByProto.get('2.0') || sampleByProto.get('h2') || '')}）`
+      ],
+      source: '响应头'
+    })
+  }
+  return out
+}
+
+const shortHostFromUrl = (url: string): string => {
+  try {
+    return new URL(url).host || url
+  } catch {
+    return url
+  }
+}
+
 const buildDisplayTechnologies = (data: any, settings: any, suppressMap: Record<string, string[]>) => {
   const all: any[] = []
   addAllTechnologies(all, data.page?.technologies)
   addAllTechnologies(all, data.main?.technologies)
+  addAllTechnologies(all, collectHttpProtocolTechs(data))
   for (const api of data.apis || []) {
     addAllTechnologies(
       all,