mirror of
https://github.com/bitwarden/browser
synced 2026-01-31 16:53:27 +00:00
ad4b01f315
* Change domain terminology to web addresses
* Added phishing resource file
* Finish renaming and adding runtime configuration for domains vs links setting
* Update reference
* Add matching functions per resource
* correct URL matching logic for links-based detection
Problem:
The phishing link matcher was failing to detect known phishing URLs due to
two issues:
1. Protocol mismatch: Entries in the phishing list use `http://` but users
typically visit `https://` versions. The matcher was comparing full URLs
including protocol, causing legitimate matches to fail.
- List entry: `http://smartdapptradxx.pages.dev`
- User visits: `https://smartdapptradxx.pages.dev/`
- Result: No match (incorrect)
2. Hostname-only matching would have caused false positives: An earlier
attempt to fix #1 included hostname-only comparison, which defeats the
purpose of links-based detection. The goal of PM-28548 is precise URL
matching to avoid blocking entire domains (like pages.dev, github.io)
when only specific paths are malicious.
Solution:
- Always strip protocol (http:// or https://) from both entry and URL
before comparison, treating them as equivalent
- Remove hostname-only matching to maintain precision
- Keep prefix matching for subpaths, query strings, and fragments
---------
Co-authored-by: Alex <adewitt@bitwarden.com>
(cherry picked from commit 800a21d8a3)