@govtechsg/oobee 0.10.93 → 0.10.94

package/dist/static/ejs/partials/styles/wcagCompliance/WcagGaugeBar.ejs

@@ -39,6 +39,11 @@
   .gauge-number {
     font-weight: 700;
     font-size: 16px;
+    color: var(--dark-charcoal, #1f1f1f);
+    background-color: var(--true-white, #fff);
+    display: inline-block;
+    padding: 2px 8px;
+    border-radius: 999px;
   }
 
   .gauge-caption {
@@ -54,6 +59,7 @@
 
   .gauge-value-number {
     font-size: 24px;
+    color: var(--dark-charcoal, #1f1f1f);
   }
 
   .gauge-value-number.perfect-score {

package/dist/static/ejs/partials/styles/wcagCompliance.ejs

@@ -18,10 +18,11 @@
 		margin-bottom: 0rem;
 	}
 
-	.wcag-link {
-		font-size: 1rem;
-		border: 0;
-	}
+.wcag-link {
+font-size: 1rem;
+border: 0;
+text-decoration: underline;
+}
 
 	.wcag-status {
 		margin-bottom: 0.3rem;

package/dist/static/ejs/partials/styles/wcagCoverageDetails.ejs

@@ -12,9 +12,14 @@
     gap: 10px 18px;
   }
 
+  #wcagCoverage .wcag-criteria-heading {
+    font-size: 1.25rem;
+    line-height: 1.2;
+  }
+
   #wcagCoverage .wcag-grid a {
     color: var(--a11y-majorelle-blue, #5735DF);
-    text-decoration: none;
+    text-decoration: underline;
   }
   #wcagCoverage .wcag-grid a:hover,
   #wcagCoverage .wcag-grid a:focus-visible {

package/oobee-client-scanner.js

@@ -3,7 +3,7 @@
  * DO NOT EDIT MANUALLY. Re-generate with: node dist/generateOobeeClientScanner.js
  *
  * Embedded at generation time:
- *   App version : 0.10.93
+ *   App version : 0.10.94
  *   Sentry DSN  : (from OOBEE_SENTRY_DSN env var or constants.ts default)
  *   Sentry SDK  : @sentry/browser 10.58.0 (loaded from CDN at runtime)
  *
@@ -34883,7 +34883,7 @@
   // ── Sentry browser telemetry (Sentry JS SDK, loaded from CDN) ────────────
   
   var _oobeeSentryDsn          = "https://3b8c7ee46b06f33815a1301b6713ebc3@o4509047624761344.ingest.us.sentry.io/4509327783559168";
-  var _oobeeAppVersion         = "0.10.93";
+  var _oobeeAppVersion         = "0.10.94";
   var _oobeeSentryVersion      = "10.58.0";
   var _oobeeSentryInitialized  = false;
   var _oobeeSentryLoadPromise  = null;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@govtechsg/oobee",
   "main": "dist/npmIndex.js",
-  "version": "0.10.93",
+  "version": "0.10.94",
   "type": "module",
   "author": "Government Technology Agency <info@tech.gov.sg>",
   "bin": {

package/src/cli.ts

@@ -264,9 +264,10 @@ const scanInit = async (argvs: Answers): Promise<string> => {
     consoleLogger.info(`Connectivity Check HTTP Response Code: ${res.httpStatus}`);
 
   if (res.status === statuses.success.code) {
-    // Custom flow should continue from the user-provided entry URL so auth redirects
-    // do not replace the original domain used for overlay gating and navigation.
+    // Keep browser-resolved URL as entryUrl for downstream scan metadata/events
+    // on non-custom scans.
     if (data.type !== ScannerTypes.CUSTOM) {
+      data.entryUrl = res.url;
       data.url = res.url;
     }
     if (process.env.OOBEE_VALIDATE_URL) {

package/src/combine.ts

@@ -45,6 +45,7 @@ const combineRun = async (details: Data, deviceToScan: string) => {
   const {
     type,
     url,
+    entryUrl,
     nameEmail,
     randomToken,
     deviceChosen,
@@ -104,8 +105,8 @@ const combineRun = async (details: Data, deviceToScan: string) => {
 
   // remove basic-auth credentials from URL
   const finalUrl = !(type === ScannerTypes.SITEMAP || type === ScannerTypes.LOCALFILE)
-    ? new URL(url)
-    : new URL(pathToFileURL(url));
+    ? new URL(entryUrl)
+    : new URL(pathToFileURL(entryUrl));
 
   // Use the string version of finalUrl to reduce logic at submitForm
   const finalUrlString = finalUrl.toString();

package/src/constants/common.ts

@@ -359,8 +359,11 @@ const checkUrlConnectivityWithBrowser = async (
     }
   }
 
-  // Ensure Accept header for non-html content fallback
-  extraHTTPHeaders.Accept ||= 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
+  // Ensure Accept header for non-html content fallback — use a local copy to avoid
+  // mutating the caller's extraHTTPHeaders object (which is later checked by crawlers
+  // to decide whether to enable preNavigationHooks header rewriting).
+  const localHeaders = { ...extraHTTPHeaders };
+  localHeaders.Accept ||= 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8';
 
   await initModifiedUserAgent(browserToRun, playwrightDeviceDetailsObject, clonedDataDir);
 
@@ -378,7 +381,7 @@ const checkUrlConnectivityWithBrowser = async (
 
   const launchOptions = getPlaywrightLaunchOptions(browserToRun);
   
-  const { Authorization, ...nonAuthHeaders } = extraHTTPHeaders || {};
+  const { Authorization, ...nonAuthHeaders } = localHeaders || {};
   let httpCredentials = undefined;
   if (Authorization?.startsWith('Basic ')) {
     const decoded = Buffer.from(Authorization.slice(6), 'base64').toString();
@@ -436,19 +439,21 @@ const checkUrlConnectivityWithBrowser = async (
     // Only enable generic Authorization header routing interception broadly if 
     // a non-Basic Bearer auth string is heavily relied upon, thereby bypassing 
     // performance warnings inside the check checkUrl phase for typical public scans
-    if (Authorization && !httpCredentials) {
-      const entryOrigin = new URL(url).origin;
-      await browserContext.route('**/*', async (route: any, request: any) => {
-        try {
-          if (new URL(request.url()).origin === entryOrigin) {
-            await route.continue({ headers: { ...request.headers(), Authorization } });
-          } else {
+    if (Object.keys(localHeaders).length > 0) {
+      if (Authorization && !httpCredentials) {
+        const entryOrigin = new URL(url).origin;
+        await browserContext.route('**/*', async (route: any, request: any) => {
+          try {
+            if (new URL(request.url()).origin === entryOrigin) {
+              await route.continue({ headers: { ...request.headers(), Authorization } });
+            } else {
+              await route.continue();
+            }
+          } catch {
             await route.continue();
           }
-        } catch {
-          await route.continue();
-        }
-      });
+        });
+      }
     }
 
     const page = await browserContext.newPage();
@@ -569,7 +574,7 @@ export const isSitemapContent = (content: string) => {
   }
 
   const regexForHtml = new RegExp('<(?:!doctype html|html|head|body)+?>', 'gmi');
-  const regexForXmlSitemap = new RegExp('<(?:urlset|feed|rss)+?.*>', 'gmi');
+  const regexForXmlSitemap = new RegExp('<(?:urlset|sitemapindex|feed|rss)+?.*>', 'gmi');
   if (content.match(regexForHtml) && content.match(regexForXmlSitemap)) {
     // is an XML sitemap wrapped in a HTML document
     return true;
@@ -592,8 +597,22 @@ export const checkUrl = async (
   extraHTTPHeaders: Record<string, string>,
   fileTypes: FileTypes,
 ) => {
+  let urlToCheck = url;
+
+  if (scanner === ScannerTypes.LOCALFILE) {
+    if (!isFilePath(url)) {
+      const res = new RES();
+      res.status = constants.urlCheckStatuses.notALocalFile.code;
+      return res;
+    }
+
+    if (!url.toLowerCase().startsWith('file://')) {
+      urlToCheck = pathToFileURL(path.resolve(url)).toString();
+    }
+  }
+
   const res = await checkUrlConnectivityWithBrowser(
-    url,
+    urlToCheck,
     browser,
     clonedDataDir,
     playwrightDeviceDetailsObject,
@@ -681,6 +700,7 @@ export const prepareData = async (argv: Answers): Promise<Data> => {
     ruleset,
     generateJsonFiles,
     scanDuration,
+    finalUrl,
   } = argv;
 
   const extraHTTPHeaders = parseHeaders(header);
@@ -714,6 +734,10 @@ export const prepareData = async (argv: Answers): Promise<Data> => {
     url = temp.toString();
   }
 
+  // Keep browser-resolved URL (if provided by pre-check flow) as canonical entry URL.
+  // For local file paths, keep using the normalized `url` value below.
+  const resolvedEntryUrl = finalUrl && !isFilePath(finalUrl) ? finalUrl : url;
+
   // construct filename for scan results
   const [date, time] = new Date().toLocaleString('sv').replaceAll(/-|:/g, '').split(' ');
   const domain = isLocalFileScan ? path.basename(url) : new URL(url).hostname;
@@ -758,7 +782,7 @@ export const prepareData = async (argv: Answers): Promise<Data> => {
   return {
     type: scanner,
     url,
-    entryUrl: url,
+    entryUrl: resolvedEntryUrl,
     isHeadless: headless,
     deviceChosen,
     customDevice,
@@ -1009,6 +1033,8 @@ export const getLinksFromSitemap = async (
   const scannedSitemaps = new Set<string>();
   const sitemapLinkCounts: Record<string, number> = {};
   const allUrls = new Set<string>(); // all discovered URLs (lightweight strings)
+  const isImageSitemapUrl = (candidateUrl: string) =>
+    /(^|\/)image-sitemap(?:-index)?(?:-\d+)?\.xml(?:$|[?#])/i.test(candidateUrl);
 
   const addToUrlList = (url: string) => {
     if (!url) return;
@@ -1092,6 +1118,11 @@ export const getLinksFromSitemap = async (
     let data;
     let sitemapType;
 
+    if (isImageSitemapUrl(url)) {
+      consoleLogger.info(`Skipping image sitemap: ${url}`);
+      return;
+    }
+
     if (scannedSitemaps.has(url)) {
       // Skip processing if the sitemap has already been scanned
       return;
@@ -1147,11 +1178,28 @@ export const getLinksFromSitemap = async (
 
         const page = await browserContext.newPage();
 
-        await page.goto(url, { waitUntil: 'networkidle', timeout: 60000 });
+        // Use 'domcontentloaded' instead of 'networkidle' — sitemap XMLs with
+        // XSL stylesheet references (e.g. <?xml-stylesheet ...?>) cause the browser
+        // to fetch and apply the stylesheet, which may load additional resources
+        // (fonts, CSS, images) that prevent 'networkidle' from ever being reached.
+        const response = await page.goto(url, { waitUntil: 'domcontentloaded', timeout: 60000 });
+
+        // Prefer the raw response body — this gives us the original XML before
+        // the browser applies any XSL transformation (which would turn the XML
+        // into rendered HTML, losing the sitemap structure).
+        if (response) {
+          try {
+            data = await response.text();
+          } catch {
+            // response.text() can fail if the body was already consumed or
+            // if a redirect occurred; fall through to DOM extraction below.
+          }
+        }
 
-        if ((await page.locator('body').count()) > 0) {
-          data = await page.locator('body').innerText();
-        } else {
+        if (!data) {
+          if ((await page.locator('body').count()) > 0) {
+            data = await page.locator('body').innerText();
+          } else {
           const urlSet = page.locator('urlset');
           const sitemapIndex = page.locator('sitemapindex');
           const rss = page.locator('rss');
@@ -1166,6 +1214,7 @@ export const getLinksFromSitemap = async (
             data = await rss.evaluate(elem => elem.outerHTML);
           } else if (await isRoot(feed)) {
             data = await feed.evaluate(elem => elem.outerHTML);
+            }
           }
         }
       } finally {
@@ -1189,39 +1238,65 @@ export const getLinksFromSitemap = async (
     }
 
     const $ = cheerio.load(data, { xml: true });
+    const countBefore = allUrls.size;
 
     // This case is when the document is not an XML format document
     if ($(':root').length === 0) {
       processNonStandardSitemap(data);
+
+      const linksFromThisSitemap = allUrls.size - countBefore;
+      if (linksFromThisSitemap > 0) {
+        sitemapLinkCounts[url] = (sitemapLinkCounts[url] || 0) + linksFromThisSitemap;
+      }
       return;
     }
 
     // Root element
     const root = $(':root')[0];
+    const hasImageNamespace = Object.values(root?.attribs ?? {}).some(
+      attribVal => typeof attribVal === 'string' && attribVal.toLowerCase().includes('sitemap-image'),
+    );
 
-    const { xmlns } = root.attribs;
+    if (hasImageNamespace) {
+      consoleLogger.info(`Skipping image sitemap: ${url}`);
+      return;
+    }
+
+    const rootName = root?.name?.toLowerCase().split(':').pop() ?? '';
+    const hasXmlSitemapIndexTag = /<\s*(?:[a-z0-9_-]+:)?sitemapindex\b/i.test(data);
+    const hasXmlUrlsetTag = /<\s*(?:[a-z0-9_-]+:)?urlset\b/i.test(data);
 
-    const xmlFormatNamespace = '/schemas/sitemap';
-    if (root.name === 'urlset' && xmlns.includes(xmlFormatNamespace)) {
+    if (rootName === 'urlset') {
       sitemapType = constants.xmlSitemapTypes.xml;
-    } else if (root.name === 'sitemapindex' && xmlns.includes(xmlFormatNamespace)) {
+    } else if (rootName === 'sitemapindex') {
       sitemapType = constants.xmlSitemapTypes.xmlIndex;
-    } else if (root.name === 'rss') {
+    } else if (rootName === 'rss') {
       sitemapType = constants.xmlSitemapTypes.rss;
-    } else if (root.name === 'feed') {
+    } else if (rootName === 'feed') {
       sitemapType = constants.xmlSitemapTypes.atom;
+    } else if (hasXmlSitemapIndexTag) {
+      sitemapType = constants.xmlSitemapTypes.xmlIndex;
+    } else if (hasXmlUrlsetTag) {
+      sitemapType = constants.xmlSitemapTypes.xml;
     } else {
       sitemapType = constants.xmlSitemapTypes.unknown;
     }
 
-    const countBefore = allUrls.size;
-
     switch (sitemapType) {
       case constants.xmlSitemapTypes.xmlIndex:
-        consoleLogger.info(`This is a XML format sitemap index.`);
+        consoleLogger.info(`This is a XML format sitemap index: ${url}`);
         for (const childSitemapUrl of $('loc')) {
-          const childSitemapUrlText = $(childSitemapUrl).text();
-          if (childSitemapUrlText.endsWith('.xml') || childSitemapUrlText.endsWith('.txt')) {
+          const childSitemapUrlText = $(childSitemapUrl).text().trim();
+          if (!childSitemapUrlText) {
+            continue;
+          }
+
+          const childSitemapPath = childSitemapUrlText.split(/[?#]/)[0].toLowerCase();
+          if (childSitemapPath.endsWith('.xml') || childSitemapPath.endsWith('.txt')) {
+            if (isImageSitemapUrl(childSitemapUrlText)) {
+              consoleLogger.info(`Skipping image sitemap: ${childSitemapUrlText}`);
+              continue;
+            }
             await fetchUrls(childSitemapUrlText, extraHTTPHeaders); // Recursive call for nested sitemaps
           } else {
             addToUrlList(childSitemapUrlText); // Add regular URLs to the list
@@ -1229,19 +1304,19 @@ export const getLinksFromSitemap = async (
         }
         break;
       case constants.xmlSitemapTypes.xml:
-        consoleLogger.info(`This is a XML format sitemap.`);
+        consoleLogger.info(`This is a XML format sitemap: ${url}`);
         await processXmlSitemap($, sitemapType, 'loc', 'lastmod', 'url');
         break;
       case constants.xmlSitemapTypes.rss:
-        consoleLogger.info(`This is a RSS format sitemap.`);
+        consoleLogger.info(`This is a RSS format sitemap: ${url}`);
         await processXmlSitemap($, sitemapType, 'link', 'pubDate', 'item');
         break;
       case constants.xmlSitemapTypes.atom:
-        consoleLogger.info(`This is a Atom format sitemap.`);
+        consoleLogger.info(`This is a Atom format sitemap: ${url}`);
         await processXmlSitemap($, sitemapType, 'link', 'published', 'entry');
         break;
       default:
-        consoleLogger.info(`This is an unrecognised XML sitemap format.`);
+        consoleLogger.info(`This is an unrecognised XML sitemap format: ${url}`);
         processNonStandardSitemap(data);
     }
 
@@ -2191,6 +2266,7 @@ export const isFilePath = (url: string): boolean => {
   const driveLetterPattern = /^[A-Z]:/i;
   const backslashPattern = /\\/;
   return (
+    url.toLowerCase().startsWith('file://') ||
     url.startsWith('/') ||
     driveLetterPattern.test(url) ||
     backslashPattern.test(url) ||

package/src/crawlers/commonCrawlerFunc.ts

@@ -1145,10 +1145,19 @@ export const createCrawleeSubFolders = async (
 export const preNavigationHooks = (extraHTTPHeaders: Record<string, string>) => {
   return [
     async (crawlingContext: CrawlingContext, gotoOptions: PlaywrightGotoOptions) => {
-      if (extraHTTPHeaders) {
+      if (extraHTTPHeaders && Object.keys(extraHTTPHeaders).length > 0) {
         crawlingContext.request.headers = extraHTTPHeaders;
       }
-      gotoOptions = { waitUntil: 'networkidle', timeout: 30000 };
+      // Use domcontentloaded — fires as soon as the DOM is parsed, before
+      // images/stylesheets/network requests settle. This avoids indefinite
+      // hangs on sites with WebSockets, analytics polling, or infinite-scroll
+      // beacons that never reach networkidle. Further page stability is
+      // handled by waitForPageLoaded() in each crawler's requestHandler and
+      // by the DOM mutation observer in postNavigationHooks.
+      if (gotoOptions) {
+        gotoOptions.waitUntil = 'domcontentloaded';
+        gotoOptions.timeout = 30000;
+      }
     },
   ];
 };

package/src/crawlers/crawlDomain.ts

@@ -5,6 +5,7 @@ import type { PlaywrightCrawlingContext, RequestOptions } from 'crawlee';
 import {
   createCrawleeSubFolders,
   getPreLaunchHook,
+  preNavigationHooks,
   runAxeScript,
   isUrlPdf,
   shouldSkipClickDueToDisallowedHref,
@@ -414,12 +415,10 @@ const crawlDomain = async ({
         ],
       },
       requestQueue,
+      maxRequestRetries: 3,
+      maxSessionRotations: 1,
       preNavigationHooks: [
-        async (crawlingContext) => {
-          if (extraHTTPHeaders) {
-            crawlingContext.request.headers = extraHTTPHeaders;
-          }
-        },
+        ...preNavigationHooks(extraHTTPHeaders),
       ],
       postNavigationHooks: [
         async crawlingContext => {

package/src/crawlers/crawlSitemap.ts

@@ -7,6 +7,7 @@ import {
   preNavigationHooks,
   runAxeScript,
   isUrlPdf,
+  splitAuthHeaders,
 } from './commonCrawlerFunc.js';
 
 import constants, {
@@ -85,6 +86,7 @@ const crawlSitemap = async ({
     maxRequestsPerCrawl,
     specifiedMaxConcurrency || constants.maxConcurrency,
   );
+  const initialNoSuccessFailureAbortThreshold = Math.max(5, Math.min(maxRequestsPerCrawl, 25));
 
   if (fromCrawlIntelligentSitemap) {
     dataset = datasetFromIntelligent;
@@ -119,6 +121,7 @@ const crawlSitemap = async ({
   const isScanPdfs = [FileTypes.All, FileTypes.PdfOnly].includes(fileTypes as FileTypes);
   const { playwrightDeviceDetailsObject } = viewportSettings;
   const { maxConcurrency } = constants;
+  const { nonAuthHeaders, httpCredentials } = splitAuthHeaders(extraHTTPHeaders);
 
   const requestList = await RequestList.open({
     sources: linksFromSitemap,
@@ -142,11 +145,15 @@ const crawlSitemap = async ({
               ...playwrightDeviceDetailsObject,
               ...(process.env.OOBEE_USER_AGENT && { userAgent: process.env.OOBEE_USER_AGENT }),
               ...(process.env.OOBEE_DISABLE_BROWSER_DOWNLOAD && { acceptDownloads: false }),
+              ...(nonAuthHeaders && { extraHTTPHeaders: nonAuthHeaders }),
+              ...(httpCredentials && { httpCredentials }),
             };
           },
         ],
       },
       requestList,
+      maxRequestRetries: 3,
+      maxSessionRotations: 1,
       postNavigationHooks: [
         async ({ page }) => {
           try {
@@ -197,6 +204,7 @@ const crawlSitemap = async ({
         },
       ],
       preNavigationHooks: [
+        ...preNavigationHooks(extraHTTPHeaders),
         async ({ request, page }, gotoOptions) => {
           const url = request.url.toLowerCase();
 
@@ -213,8 +221,6 @@ const crawlSitemap = async ({
 
             return;
           }
-
-          preNavigationHooks(extraHTTPHeaders);
         },
       ],
       requestHandlerTimeoutSecs: 90,
@@ -449,6 +455,17 @@ const crawlSitemap = async ({
           httpStatusCode: typeof status === 'number' ? status : 0,
         });
         crawlee.log.error(`Failed Request - ${request.url}: ${request.errorMessages}`);
+
+        if (
+          urlsCrawled.scanned.length === 0 &&
+          urlsCrawled.error.length >= initialNoSuccessFailureAbortThreshold
+        ) {
+          consoleLogger.info(
+            `Aborting sitemap crawl: ${urlsCrawled.error.length} failed pages with 0 successful scans.`,
+          );
+          isAbortingScan = true;
+          crawler.autoscaledPool?.abort();
+        }
       },
       maxRequestsPerCrawl: Infinity,
       maxConcurrency: specifiedMaxConcurrency || maxConcurrency,

package/src/crawlers/custom/utils.ts

@@ -1228,19 +1228,32 @@ export const initNewPage = async (page, pageClosePromises, processPageParams, pa
         const allowed = isOverlayAllowed(page.url(), processPageParams.entryUrl);
 
         if (!allowed) {
-          await Promise.race([
-            removeOverlayMenu(page),
-            new Promise((_, reject) => {
-              setTimeout(() => {
-                reject(
-                  new Error(
-                    `removeOverlayMenu timed out after ${OVERLAY_OPERATION_TIMEOUT_MS}ms`,
-                  ),
-                );
-              }, OVERLAY_OPERATION_TIMEOUT_MS);
-            }),
-          ]);
-          return;
+          // On macOS and Windows the custom flow always runs headful.
+          // The URL guard (urlGuard.ts) intercepts non-http/https navigations
+          // and calls page.goto(safeUrl). Do NOT remove the overlay here —
+          // removing it causes it to stay permanently disabled if the redirect
+          // races ahead of the next reconcile cycle.
+          // Instead, fall through to the hasOverlay / addOverlayMenu block so
+          // the overlay is (re-)injected even on transient non-http/https URLs
+          // (e.g. file://, about:blank) and again after the guard's redirect.
+          const isDesktopHost = process.platform === 'darwin' || process.platform === 'win32';
+          if (!isDesktopHost) {
+            // On Linux / Docker: remove overlay for non-http/https URLs and stop.
+            await Promise.race([
+              removeOverlayMenu(page),
+              new Promise((_, reject) => {
+                setTimeout(() => {
+                  reject(
+                    new Error(
+                      `removeOverlayMenu timed out after ${OVERLAY_OPERATION_TIMEOUT_MS}ms`,
+                    ),
+                  );
+                }, OVERLAY_OPERATION_TIMEOUT_MS);
+              }),
+            ]);
+            return;
+          }
+          // Desktop hosts: skip removal and fall through to re-add overlay.
         }
 
         const hasOverlay = await page.evaluate(() =>

package/src/crawlers/guards/urlGuard.ts

@@ -35,8 +35,18 @@ export function addUrlGuardScript(context, opts = {}) {
       });
 
     const restoreToSafeUrl = async (page, attemptedUrl) => {
+      const safeUrl = lastAllowedUrlByPage.get(page) || fallbackUrl || 'about:blank';
+      // Only redirect if the safe URL is itself an allowed (http/https) URL.
+      // If the entry URL is file:// (e.g. scanning a local HTML file), the
+      // fallback is also file://, and redirecting would create an infinite loop:
+      //   file:// → restoreToSafeUrl → file:// → framenavigated → restoreToSafeUrl → …
+      try {
+        const safeObj = new URL(safeUrl);
+        if (!ALLOWED_PROTOCOLS.has(safeObj.protocol)) return;
+      } catch {
+        return;
+      }
       try {
-        const safeUrl = lastAllowedUrlByPage.get(page) || fallbackUrl || 'about:blank';
         await page.goto(safeUrl, { waitUntil: 'domcontentloaded' });
       } catch {
         // page might be closing; ignore
@@ -58,6 +68,13 @@ export function addUrlGuardScript(context, opts = {}) {
         lastAllowedUrlByPage.set(page, urlObj.toString());
         return;
       }
+
+      // Skip browser-internal transitional states (about:blank, about:srcdoc, etc.).
+      // page.goto() navigates through about:blank before loading the target URL.
+      // Redirecting from about: creates an infinite loop:
+      //   restoreToSafeUrl → page.goto(safeUrl) → about:blank → restoreToSafeUrl → …
+      if (urlObj.protocol === 'about:') return;
+
       await restoreToSafeUrl(page, urlStr);
     });
   };

package/src/static/ejs/partials/components/allIssues/CategoryBadges.ejs

@@ -7,6 +7,7 @@
         <button
           type="button"
           class="category-tooltip-icon"
+          aria-label="About Must Fix category"
           aria-describedby="mustFixTooltip"
         >
           <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14"
@@ -34,6 +35,7 @@
         <button
           type="button"
           class="category-tooltip-icon"
+          aria-label="About Good to Fix category"
           aria-describedby="goodToFixTooltip"
         >
           <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14"
@@ -61,6 +63,7 @@
         <button
           type="button"
           class="category-tooltip-icon"
+          aria-label="About Manual Test category"
           aria-describedby="manualTestTooltip"
         >
           <svg xmlns="http://www.w3.org/2000/svg" width="14" height="14"

package/src/static/ejs/partials/components/allIssues/IssuesTable.ejs

@@ -2,21 +2,21 @@
   <table class="issues-table" id="issuesTable">
     <thead>
       <tr>
-        <th class="sortable" role="button" tabindex="0" aria-sort="none" style="width: 15%;">
+        <th class="sortable" tabindex="0" aria-sort="none" style="width: 15%;">
           <span>Severity</span>
           <svg class="sort-icon" width="24" height="24" viewBox="0 0 24 24" fill="none" aria-hidden="true">
             <path d="M7 9L12 4L17 9H7Z" fill="currentColor" opacity="1" />
             <path d="M7 15L12 20L17 15H7Z" fill="currentColor" opacity="0.3" />
           </svg>
         </th>
-        <th class="sortable" role="button" tabindex="0" aria-sort="none">
+        <th class="sortable" tabindex="0" aria-sort="none">
           <span>Issue Name</span>
           <svg class="sort-icon" width="24" height="24" viewBox="0 0 24 24" fill="none" aria-hidden="true">
             <path d="M7 9L12 4L17 9H7Z" fill="currentColor" opacity="0.3" />
             <path d="M7 15L12 20L17 15H7Z" fill="currentColor" opacity="1" />
           </svg>
         </th>
-        <th class="sortable" role="button" tabindex="0" aria-sort="descending" style="width: 15%;">
+        <th class="sortable" tabindex="0" aria-sort="descending" style="width: 15%;">
           <span>Occurrence</span>
           <svg class="sort-icon" width="24" height="24" viewBox="0 0 24 24" fill="none" aria-hidden="true">
             <path d="M7 9L12 4L17 9H7Z" fill="currentColor" opacity="0.3" />

package/src/static/ejs/partials/components/header/aboutScanModal/AboutScanModal.ejs

@@ -1,4 +1,4 @@
-<div id="aboutScanModal" class="modal fade" tabindex="-1" aria-labelledby="aboutScanModalLabel" aria-hidden="true">
+<div id="aboutScanModal" class="modal fade" tabindex="-1" aria-label="About this scan" aria-hidden="true">
   <div class="modal-dialog modal-dialog-centered">
     <div class="modal-content">
       <div class="modal-header">