An externally hosted phishing warning page is now used rather than the
built-in phishing warning page.The phishing page warning URL is set via
configuration file or environment variable. The default URL is either
the expected production URL or `http://localhost:9999/` for e2e testing
environments.
The new external phishing page includes a design change when it is
loaded within an iframe. In that case it now shows a condensed message,
and prompts the user to open the full warning page in a new tab to see
more details or bypass the warning. This is to prevent a clickjacking
attack from safelisting a site without user consent.
The new external phishing page also includes a simple caching service
worker to ensure it continues to work offline (or if our hosting goes
offline), as long as the user has successfully loaded the page at least
once. We also load the page temporarily during the extension startup
process to trigger the service worker installation.
The old phishing page and all related lines have been removed. The
property `web_accessible_resources` has also been removed from the
manifest. The only entry apart from the phishing page was `inpage.js`,
and we don't need that to be web accessible anymore because we inject
the script inline into each page rather than loading the file directly.
New e2e tests have been added to cover more phishing warning page
functionality, including the "safelist" action and the "iframe" case.
All JavaScript files included in the final bundle are now listed as
target files. The `phishing-detect.js` file is the only new file to be
validated that was not validated before.
Any files that are expected to fail validation are commented out, with
a note explaining why they're expected to fail.
The report printed to the console for invalid source map samples has
been improved in a few ways:
* The entire message is now printed using `console.error`, so the
contents aren't split between STDERR and STDOUT
* The code fence is now guaranteed to be a set length, rather than it
varying depending on the filename
* The code fence is no longer padded on the inside with newlines, which
results in a more compact output that is (in my opinion) just as
readable.
All JavaScript files included in the final bundle are now listed as
target files. The `phishing-detect.js` file is the only new file to be
validated that was not validated before.
Any files that are expected to fail validation are commented out, with
a note explaining why they're expected to fail.
The report printed to the console for invalid source map samples has
been improved in a few ways:
* The entire message is now printed using `console.error`, so the
contents aren't split between STDERR and STDOUT
* The code fence is now guaranteed to be a set length, rather than it
varying depending on the filename
* The code fence is no longer padded on the inside with newlines, which
results in a more compact output that is (in my opinion) just as
readable.
This reverts commit 466ece4588, which has
the message:
"Revert "Merge pull request #7599 from MetaMask/Version-v7.7.0" (#7648)"
This effectively re-introduces the changes from the "LoginPerSite" PR.