Support "single-page apps" that divorce location.pathname from main_frame requests

[James-E-A]

The current code works great for apps that respect the URL metaphor by only using the fragment to represent its internal state (e.g. VMWare ESXi web UI), but breaks down for apps that completely commandeer it via JavaScript (e.g. Discourse, Discord, GitHub)

[James-E-A]

The right(?) way to do this is, I guess:

• If we have not yet seen that host on that tab, use it
• If the request is main_frame, use it

Tangentially: consider blocking + sounding the alarm on requests which match the hostname, but not the certificate, of the last request in its tab matching the above criteria

@TJesionowski got any ideas?

[James-E-A]

Better yet: figure out whence the data for "what's shown if you click on the lock in the URL bar" is got, especially for PWAs that may run fully-offline.

[James-E-A]

Seems to have been fixed in 3a9048c when we switched to matching by host instead of whole-URL

[James-E-A]

Nevermind; this is still present for offline PWAs. Does anybody know how to getSecurityInfo() for ServiceWorker-managed requests? (The Security tab in the devtools networkmonitor is populated…)

[James-E-A]

Does anybody know how to getSecurityInfo() for ServiceWorker-managed requests?

No bites yet: https://discourse.mozilla.org/t/getsecurityinfo-for-pwas/81239