From 494b4b711ce7c5c83e9e31ce76df6b78c7c40b07 Mon Sep 17 00:00:00 2001
From: Leslie Tilton <23057410+Banrion@users.noreply.github.com>
Date: Fri, 23 Jan 2026 13:17:16 -0600
Subject: [PATCH] Update QA phishing url to be normalized

---
 .../services/phishing-data.service.spec.ts    | 39 +++++++++++++++++--
 .../services/phishing-data.service.ts         | 18 ++++++---
 2 files changed, 48 insertions(+), 9 deletions(-)

diff --git a/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts b/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts
index 9176e7209ba..d633c0612f5 100644
--- a/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts
+++ b/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.spec.ts
@@ -69,13 +69,44 @@ describe("PhishingDataService", () => {
       expect(service["indexedDbService"]).toBeDefined();
     });
 
-    it("should detect QA test addresses", async () => {
-      // The QA test address should always return true
-      const QAurl = new URL("http://phishing.testcategory.com");
-      expect(await service.isPhishingWebAddress(QAurl)).toBe(true);
+    it("should detect QA test addresses - http protocol", async () => {
+      const url = new URL("http://phishing.testcategory.com");
+      expect(await service.isPhishingWebAddress(url)).toBe(true);
       // IndexedDB should not be called for test addresses
       expect(mockIndexedDbService.hasUrl).not.toHaveBeenCalled();
     });
+
+    it("should detect QA test addresses - https protocol", async () => {
+      const url = new URL("https://phishing.testcategory.com");
+      expect(await service.isPhishingWebAddress(url)).toBe(true);
+      expect(mockIndexedDbService.hasUrl).not.toHaveBeenCalled();
+    });
+
+    it("should detect QA test addresses - specific subpath /block", async () => {
+      const url = new URL("https://phishing.testcategory.com/block");
+      expect(await service.isPhishingWebAddress(url)).toBe(true);
+      expect(mockIndexedDbService.hasUrl).not.toHaveBeenCalled();
+    });
+
+    it("should NOT detect QA test addresses - different subpath", async () => {
+      mockIndexedDbService.hasUrl.mockResolvedValue(false);
+      mockIndexedDbService.loadAllUrls.mockResolvedValue([]);
+
+      const url = new URL("https://phishing.testcategory.com/other");
+      const result = await service.isPhishingWebAddress(url);
+
+      // This should NOT be detected as a test address since only /block subpath is hardcoded
+      expect(result).toBe(false);
+    });
+
+    it("should detect QA test addresses - root path with trailing slash", async () => {
+      const url = new URL("https://phishing.testcategory.com/");
+      const result = await service.isPhishingWebAddress(url);
+
+      // This SHOULD be detected since URLs are normalized (trailing slash added to root URLs)
+      expect(result).toBe(true);
+      expect(mockIndexedDbService.hasUrl).not.toHaveBeenCalled();
+    });
   });
 
   describe("isPhishingWebAddress", () => {
diff --git a/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts b/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts
index 868aad3afad..77c222670d0 100644
--- a/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts
+++ b/apps/browser/src/dirt/phishing-detection/services/phishing-data.service.ts
@@ -83,7 +83,7 @@ export class PhishingDataService {
   // We are adding the destroy to guard against accidental leaks.
   private _destroy$ = new Subject<void>();
 
-  private _testWebAddresses = this.getTestWebAddresses().concat("phishing.testcategory.com"); // Included for QA to test in prod
+  private _testWebAddresses = this.getTestWebAddresses();
   private _phishingMetaState = this.globalStateProvider.get(PHISHING_DOMAINS_META_KEY);
 
   private indexedDbService: PhishingIndexedDbService;
@@ -154,7 +154,7 @@ export class PhishingDataService {
    */
   async isPhishingWebAddress(url: URL): Promise<boolean> {
     // Quick check for QA/dev test addresses
-    if (this._testWebAddresses.includes(url.hostname)) {
+    if (this._testWebAddresses.includes(url.href)) {
       return true;
     }
 
@@ -223,8 +223,14 @@ export class PhishingDataService {
 
   private getTestWebAddresses() {
     const flag = devFlagEnabled("testPhishingUrls");
+    // Normalize URLs by converting to URL object and back to ensure consistent format (e.g., trailing slashes)
+    const testWebAddresses: string[] = [
+      new URL("http://phishing.testcategory.com").href,
+      new URL("https://phishing.testcategory.com").href,
+      new URL("https://phishing.testcategory.com/block").href,
+    ];
     if (!flag) {
-      return [];
+      return testWebAddresses;
     }
 
     const webAddresses = devFlagValue("testPhishingUrls") as unknown[];
@@ -233,9 +239,11 @@ export class PhishingDataService {
         "[PhishingDataService] Dev flag enabled for testing phishing detection. Adding test phishing web addresses:",
         webAddresses,
       );
-      return webAddresses as string[];
+      // Normalize dev flag URLs as well
+      const normalizedDevAddresses = (webAddresses as string[]).map((addr) => new URL(addr).href);
+      return testWebAddresses.concat(normalizedDevAddresses);
     }
-    return [];
+    return testWebAddresses;
   }
 
   private _getUpdatedMeta(): Observable<PhishingDataMeta> {