Skip to content

fix: use correct href for phishing page proceed anyway button #36871

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix: use correct href for phishing page proceed anyway button #36871

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
aebf3b0
fix proceed anyway button on c2 domains
mindofmar Oct 14, 2025
e22fdb4
minor refactor
mindofmar Oct 14, 2025
80bac5e
minor fixes
mindofmar Oct 16, 2025
879d2b4
fix tests
mindofmar Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions app/scripts/background.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,26 +344,36 @@ function maybeDetectPhishing(theController) {

// Determine the block reason based on the type
let blockReason;
let blockedUrl = hostname;
let blockedUrl = href;
if (phishingTestResponse?.result && blockedRequestResponse.result) {
blockReason = `${phishingTestResponse.type} and ${blockedRequestResponse.type}`;
} else if (phishingTestResponse?.result) {
blockReason = phishingTestResponse.type;
} else {
// Override the blocked URL to the initiator URL if the request was flagged by c2 detection
blockReason = blockedRequestResponse.type;
blockedUrl = details.initiator;
}

let blockedHostname;
try {
blockedHostname = new URL(blockedUrl).hostname;
} catch {
// If blockedUrl is null or undefined, fall back to the original URL
blockedHostname = hostname;
blockedUrl = href;
}

if (!isFirefox) {
theController.metaMetricsController.trackEvent(
{
// should we differentiate between background redirection and content script redirection?
event: MetaMetricsEventName.PhishingPageDisplayed,
category: MetaMetricsEventCategory.Phishing,
properties: {
url: blockedUrl,
url: blockedHostname,
referrer: {
url: blockedUrl,
url: blockedHostname,
},
reason: blockReason,
requestDomain: blockedRequestResponse.result
Expand All @@ -376,7 +386,10 @@ function maybeDetectPhishing(theController) {
},
);
}
const querystring = new URLSearchParams({ hostname, href });
const querystring = new URLSearchParams({
hostname: blockedHostname, // used for creating the EPD issue title (false positive report)
href: blockedUrl, // used for displaying the URL on the phsihing warning page + proceed anyway URL
});
const redirectUrl = new URL(phishingPageHref);
redirectUrl.hash = querystring.toString();
const redirectHref = redirectUrl.toString();
Expand Down
Loading