fix: 修一批响应头与规则误报

setube · setube · commit a4fed8012cea · 2026-05-12T11:31:07.000+08:00
CSP / Permissions-Policy / Report-To / NEL 这种「允许列表」性质的响应头从 headerBlob 里剔除——这些只是声明可加载源/上报端点，不代表实际使用，之前会导致 x.com 因 CSP 包含 googleusercontent.com 而误报 Google Cloud CDN。同时收紧多个规则匹配：
- 前端库 / UI 框架同名重复时（如 t.me 上 Bootstrap 同时进 UI / CSS 框架和前端库），自动去掉前端库的重复条目
- Framework7 的 patterns 去掉 `f7-`（裸字符串，Twitter 等站点正文里出现就误命中），仅保留 framework7 资源文件名和 classPrefixes
- Play Framework 把 `play\.api`、`csrfToken.*play` 这种过宽模式收紧为 play.api.mvc / playframework.com / play_session 等精确特征
- 注入脚本 detectFeeds 过滤增加 oembed 排除，并要求 type/href 命中真正的 feed MIME / 路径，避免 application/json+oembed 被误识别成 JSON Feed
- 兜底前端库黑名单加 tgwallpaper（Telegram 自家壁纸脚本，不是公共库）
- 新增 Telegram CDN 规则（telesco.pe / cdn*.telesco.pe）+ 把 t.me 和 telesco 加入 self-host 抑制

将版本号提升到 1.3.43。
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "stackprism",
   "private": true,
-  "version": "1.3.42",
+  "version": "1.3.43",
   "type": "module",
   "description": "StackPrism 用于检测网页前端、后端、CDN、SaaS、广告营销、统计、登录、支付、网站程序和主题模板线索。",
   "scripts": {
diff --git a/public/rules/page/backend-hints-page.json b/public/rules/page/backend-hints-page.json
@@ -65,11 +65,7 @@
         {
           "name": "ThinkPHP",
           "confidence": "中",
-          "patterns": [
-            "thinkphp",
-            "index\\.php\\?s=",
-            "(?:^|/)index/(?:index|home|pay|user|api)/[a-z0-9_-]+(?:[?#\\s\"'<>]|$)"
-          ]
+          "patterns": ["thinkphp", "index\\.php\\?s=", "(?:^|/)index/(?:index|home|pay|user|api)/[a-z0-9_-]+(?:[?#\\s\"'<>]|$)"]
         },
         {
           "name": "CakePHP",
@@ -107,11 +103,7 @@
           "name": "FreeMarker",
           "confidence": "中",
           "matchIn": ["url", "resources", "html", "dynamic"],
-          "patterns": [
-            "freemarker",
-            "\\.ftl(?:[?#\\s\"'<>]|$)",
-            "(?:^|/)ftl(?:/|[?#\\s\"'<>]|$)"
-          ]
+          "patterns": ["freemarker", "\\.ftl(?:[?#\\s\"'<>]|$)", "(?:^|/)ftl(?:/|[?#\\s\"'<>]|$)"]
         },
         {
           "name": "Apache Wicket",
@@ -137,7 +129,7 @@
             },
             {
               "name": "Play Framework",
-              "patterns": ["play-framework|play\\.api|csrfToken.*play"]
+              "patterns": ["play-framework", "play\\.api\\.mvc", "playframework\\.com", "play_session"]
             }
           ]
         },
diff --git a/public/rules/page/cdn-providers-page.json b/public/rules/page/cdn-providers-page.json
@@ -314,6 +314,10 @@
           "name": "GitHub Raw Content",
           "patterns": ["githubusercontent\\.com"]
         },
+        {
+          "name": "Telegram CDN",
+          "patterns": ["telesco\\.pe", "cdn[0-9]*\\.telesco\\.pe"]
+        },
         {
           "name": "GitLab Pages",
           "patterns": ["gitlab\\.io"]
diff --git a/public/rules/page/frontend-extra.json b/public/rules/page/frontend-extra.json
@@ -127,8 +127,7 @@
           },
           {
             "name": "Fluent UI / Fabric",
-            "patterns": ["@fluentui|office-ui-fabric|ms-Fabric|ms-Button"],
-            "classPrefixes": ["ms-"]
+            "patterns": ["@fluentui|office-ui-fabric|ms-Fabric|ms-Button"]
           },
           {
             "name": "Blueprint",
@@ -212,7 +211,7 @@
           },
           {
             "name": "Framework7",
-            "patterns": ["framework7(?:\\.bundle)?(?:\\.min)?\\.(?:js|css)|f7-"],
+            "patterns": ["framework7(?:\\.bundle)?(?:\\.min)?\\.(?:js|css)"],
             "globals": ["Framework7"],
             "classPrefixes": ["f7-"]
           },
@@ -240,7 +239,7 @@
           },
           {
             "name": "Varlet",
-            "patterns": ["varlet|@varlet\\/|var-"]
+            "patterns": ["varlet|@varlet\\/|varletjs"]
           },
           {
             "name": "Semi Design",
diff --git a/public/rules/page/selfhosted-saas-assets.json b/public/rules/page/selfhosted-saas-assets.json
@@ -370,8 +370,8 @@
         {
           "name": "Outline Wiki",
           "kind": "知识库 / 文档",
-          "resourceHints": ["outline"],
-          "patterns": ["outline[^\\s\"'<>]*\\.(?:js|css|svg|png)(?:\\?|$)"]
+          "resourceHints": ["getoutline", "outline-wiki", "outlinewiki", "/outline/"],
+          "patterns": ["getoutline\\.com", "(?:^|/)outline(?:-wiki|wiki)?[._-][^\\s\"'<>]*\\.(?:js|css)", "/outline/"]
         },
         {
           "name": "Wiki.js",
diff --git a/public/rules/self-host-suppress.json b/public/rules/self-host-suppress.json
@@ -26,7 +26,8 @@
     "reddit.com": ["Reddit"],
     "discord.com": ["Discord"],
     "slack.com": ["Slack"],
-    "telegram.org": ["Telegram"],
+    "telegram.org": ["Telegram", "Telegram CDN"],
+    "t.me": ["Telegram", "Telegram CDN"],
     "whatsapp.com": ["WhatsApp"],
     "medium.com": ["Medium"],
     "substack.com": ["Substack"],
diff --git a/public/tech-links.json b/public/tech-links.json
@@ -1345,6 +1345,7 @@
     "GitHub Pages": "https://pages.github.com",
     "GitHub Assets": "https://github.com",
     "GitHub Raw Content": "https://raw.githubusercontent.com",
+    "Telegram CDN": "https://telegram.org",
     "GitLab Pages": "https://docs.gitlab.com/user/project/pages",
     "Render": "https://render.com",
     "Fly.io": "https://fly.io",
diff --git a/src/background/dynamic-snapshot.ts b/src/background/dynamic-snapshot.ts
@@ -150,7 +150,9 @@ const isLikelyDynamicLibraryFileName = name => {
     'require',
     'requirejs',
     'system',
-    'systemjs'
+    'systemjs',
+    // 站点自身的内部脚本，不是公共库
+    'tgwallpaper'
   ])
   return !genericNames.has(name.toLowerCase())
 }
diff --git a/src/background/headers.ts b/src/background/headers.ts
@@ -142,13 +142,27 @@ const markSpoofedHeaderDetections = (technologies: any[], headers: Record<string
   }
 }
 
+// 这些 header 是「允许列表」性质（CSP 列出可加载的源、Report-To 列出错误上报通道等），
+// 内容是一长串第三方域名 / 类型字面量，不代表站点实际在用这些技术；扫描时跳过它们能避免误报
+const ALLOWLIST_STYLE_HEADERS = new Set([
+  'content-security-policy',
+  'content-security-policy-report-only',
+  'report-to',
+  'reporting-endpoints',
+  'permissions-policy',
+  'feature-policy',
+  'expect-ct',
+  'nel'
+])
+
 const detectFromHeaders = (headers: Record<string, string>, url: string, headerRules: any = {}, settings: any = {}) => {
   const technologies: any[] = []
   const add = createCollector(technologies, '响应头')
   const server = lower(headers.server)
   const poweredBy = lower(headers['x-powered-by'])
   const headerBlob =
     Object.entries(headers)
+      .filter(([name]) => !ALLOWLIST_STYLE_HEADERS.has(name.toLowerCase()))
       .map(([name, value]) => `${name}: ${value}`)
       .join('\n') + `\nurl: ${url || ''}`
   const lowerHeaderBlob = lower(headerBlob)
diff --git a/src/background/popup-cache.ts b/src/background/popup-cache.ts
@@ -137,6 +137,21 @@ export const suppressGenericCdnFallbacks = (technologies: any[]) => {
   return technologies.filter(tech => tech?.category !== 'CDN / 托管' || !GENERIC_CDN_FALLBACK_NAMES.has(tech?.name))
 }
 
+// 同名技术既被识别为 UI / CSS 框架（或前端框架），又被归到「前端库」类目时，去掉后者的重复条目
+// 例：Bootstrap 同时进了「UI / CSS 框架」和「前端库」，只保留前者
+const SPECIFIC_CATEGORIES_OVER_GENERIC_LIB = new Set(['UI / CSS 框架', '前端框架', '构建与运行时'])
+export const suppressGenericFrontendLibDuplicates = (technologies: any[]) => {
+  if (!Array.isArray(technologies) || !technologies.length) return technologies
+  const specificNames = new Set<string>()
+  for (const tech of technologies) {
+    if (tech?.category && SPECIFIC_CATEGORIES_OVER_GENERIC_LIB.has(tech.category) && tech.name) {
+      specificNames.add(normalizeTechName(tech.name))
+    }
+  }
+  if (!specificNames.size) return technologies
+  return technologies.filter(tech => tech?.category !== '前端库' || !specificNames.has(normalizeTechName(tech.name)))
+}
+
 export const filterTechnologiesBySettings = (technologies: any[], settings: any) => {
   const disabledCategories = new Set(cleanStringArray(settings?.disabledCategories))
   const disabledTechnologies = new Set(cleanStringArray(settings?.disabledTechnologies).map(name => normalizeTechName(name)))
@@ -290,7 +305,11 @@ const buildDisplayTechnologies = (data: any, settings: any, suppressMap: Record<
   )
   const pageUrl = data.page?.url || data.dynamic?.url || data.main?.url || ''
   return filterTechnologiesBySettings(
-    suppressSelfHostTechs(suppressGenericCdnFallbacks(mergeDisplayTechnologyRecords(all)), pageUrl, suppressMap),
+    suppressSelfHostTechs(
+      suppressGenericFrontendLibDuplicates(suppressGenericCdnFallbacks(mergeDisplayTechnologyRecords(all))),
+      pageUrl,
+      suppressMap
+    ),
     settings
   )
 }
diff --git a/src/injected/page-detector.ts b/src/injected/page-detector.ts
@@ -428,7 +428,9 @@ const detectPageTechnologies = async (ruleConfig: Record<string, unknown> = {})
       'require',
       'requirejs',
       'system',
-      'systemjs'
+      'systemjs',
+      // 站点自身的内部脚本，不是公共库
+      'tgwallpaper'
     ])
     return !genericNames.has(name.toLowerCase())
   }
@@ -859,7 +861,15 @@ ${html}`
         type: (link.type || '').toLowerCase(),
         title: link.title || ''
       }))
-      .filter(link => link.href && /rss|atom|feed|json/.test(`${link.type} ${link.href}`.toLowerCase()))
+      // 只接受真正的 feed 类型，避免 application/json+oembed 这种非 feed 的备用链接被误算成 JSON Feed
+      .filter(
+        link =>
+          link.href &&
+          !/oembed/.test(`${link.type} ${link.href}`.toLowerCase()) &&
+          /(?:rss|atom|jsonfeed|feed\+json|json\+feed|application\/feed|\.rss\b|\.atom\b|\/feed(?:\/|\.json|$|\?)|\/rss(?:\/|$|\?)|\/atom(?:\/|$|\?))/.test(
+            `${link.type} ${link.href}`.toLowerCase()
+          )
+      )
 
     for (const link of feedLinks.slice(0, 20)) {
       const name = feedNameFromType(link.type, link.href)

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "stackprism",`
`3`	`3`	`"private": true,`
`4`		`- "version": "1.3.42",`
	`4`	`+ "version": "1.3.43",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"description": "StackPrism 用于检测网页前端、后端、CDN、SaaS、广告营销、统计、登录、支付、网站程序和主题模板线索。",`
`7`	`7`	`"scripts": {`
Original file line number	Diff line number	Diff line change
`@@ -65,11 +65,7 @@`
`65`	`65`	`{`
`66`	`66`	`"name": "ThinkPHP",`
`67`	`67`	`"confidence": "中",`
`68`		`- "patterns": [`
`69`		`- "thinkphp",`
`70`		`- "index\\.php\\?s=",`
`71`		`- "(?:^\|/)index/(?:index\|home\|pay\|user\|api)/[a-z0-9_-]+(?:[?#\\s\"'<>]\|$)"`
`72`		`- ]`
	`68`	`+ "patterns": ["thinkphp", "index\\.php\\?s=", "(?:^\|/)index/(?:index\|home\|pay\|user\|api)/[a-z0-9_-]+(?:[?#\\s\"'<>]\|$)"]`
`73`	`69`	`},`
`74`	`70`	`{`
`75`	`71`	`"name": "CakePHP",`
`@@ -107,11 +103,7 @@`
`107`	`103`	`"name": "FreeMarker",`
`108`	`104`	`"confidence": "中",`
`109`	`105`	`"matchIn": ["url", "resources", "html", "dynamic"],`
`110`		`- "patterns": [`
`111`		`- "freemarker",`
`112`		`- "\\.ftl(?:[?#\\s\"'<>]\|$)",`
`113`		`- "(?:^\|/)ftl(?:/\|[?#\\s\"'<>]\|$)"`
`114`		`- ]`
	`106`	`+ "patterns": ["freemarker", "\\.ftl(?:[?#\\s\"'<>]\|$)", "(?:^\|/)ftl(?:/\|[?#\\s\"'<>]\|$)"]`
`115`	`107`	`},`
`116`	`108`	`{`
`117`	`109`	`"name": "Apache Wicket",`
`@@ -137,7 +129,7 @@`
`137`	`129`	`},`
`138`	`130`	`{`
`139`	`131`	`"name": "Play Framework",`
`140`		`- "patterns": ["play-framework\|play\\.api\|csrfToken.*play"]`
	`132`	`+ "patterns": ["play-framework", "play\\.api\\.mvc", "playframework\\.com", "play_session"]`
`141`	`133`	`}`
`142`	`134`	`]`
`143`	`135`	`},`
Original file line number	Diff line number	Diff line change
`@@ -127,8 +127,7 @@`
`127`	`127`	`},`
`128`	`128`	`{`
`129`	`129`	`"name": "Fluent UI / Fabric",`
`130`		`- "patterns": ["@fluentui\|office-ui-fabric\|ms-Fabric\|ms-Button"],`
`131`		`- "classPrefixes": ["ms-"]`
	`130`	`+ "patterns": ["@fluentui\|office-ui-fabric\|ms-Fabric\|ms-Button"]`
`132`	`131`	`},`
`133`	`132`	`{`
`134`	`133`	`"name": "Blueprint",`
`@@ -212,7 +211,7 @@`
`212`	`211`	`},`
`213`	`212`	`{`
`214`	`213`	`"name": "Framework7",`
`215`		`- "patterns": ["framework7(?:\\.bundle)?(?:\\.min)?\\.(?:js\|css)\|f7-"],`
	`214`	`+ "patterns": ["framework7(?:\\.bundle)?(?:\\.min)?\\.(?:js\|css)"],`
`216`	`215`	`"globals": ["Framework7"],`
`217`	`216`	`"classPrefixes": ["f7-"]`
`218`	`217`	`},`
`@@ -240,7 +239,7 @@`
`240`	`239`	`},`
`241`	`240`	`{`
`242`	`241`	`"name": "Varlet",`
`243`		`- "patterns": ["varlet\|@varlet\\/\|var-"]`
	`242`	`+ "patterns": ["varlet\|@varlet\\/\|varletjs"]`
`244`	`243`	`},`
`245`	`244`	`{`
`246`	`245`	`"name": "Semi Design",`
Original file line number	Diff line number	Diff line change
`@@ -370,8 +370,8 @@`
`370`	`370`	`{`
`371`	`371`	`"name": "Outline Wiki",`
`372`	`372`	`"kind": "知识库 / 文档",`
`373`		`- "resourceHints": ["outline"],`
`374`		`- "patterns": ["outline[^\\s\"'<>]*\\.(?:js\|css\|svg\|png)(?:\\?\|$)"]`
	`373`	`+ "resourceHints": ["getoutline", "outline-wiki", "outlinewiki", "/outline/"],`
	`374`	`+ "patterns": ["getoutline\\.com", "(?:^\|/)outline(?:-wiki\|wiki)?[._-][^\\s\"'<>]*\\.(?:js\|css)", "/outline/"]`
`375`	`375`	`},`
`376`	`376`	`{`
`377`	`377`	`"name": "Wiki.js",`