mirror of
https://github.com/bitwarden/browser
synced 2026-01-31 00:33:33 +00:00
800a21d8a3
* Change domain terminology to web addresses * Added phishing resource file * Finish renaming and adding runtime configuration for domains vs links setting * Update reference * Add matching functions per resource * correct URL matching logic for links-based detection Problem: The phishing link matcher was failing to detect known phishing URLs due to two issues: 1. Protocol mismatch: Entries in the phishing list use `http://` but users typically visit `https://` versions. The matcher was comparing full URLs including protocol, causing legitimate matches to fail. - List entry: `http://smartdapptradxx.pages.dev` - User visits: `https://smartdapptradxx.pages.dev/` - Result: No match (incorrect) 2. Hostname-only matching would have caused false positives: An earlier attempt to fix #1 included hostname-only comparison, which defeats the purpose of links-based detection. The goal of PM-28548 is precise URL matching to avoid blocking entire domains (like pages.dev, github.io) when only specific paths are malicious. Solution: - Always strip protocol (http:// or https://) from both entry and URL before comparison, treating them as equivalent - Remove hostname-only matching to maintain precision - Keep prefix matching for subpaths, query strings, and fragments --------- Co-authored-by: Alex <adewitt@bitwarden.com>