From 82e1d5f4f61396d5469314378354e63f8c0cd5aa Mon Sep 17 00:00:00 2001 From: imblue-dabadee Date: Tue, 23 Sep 2025 20:21:27 -0500 Subject: [PATCH 1/3] feat: sends suspectHref --- src/index.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/index.ts b/src/index.ts index 086caf8..7cbdcff 100644 --- a/src/index.ts +++ b/src/index.ts @@ -182,7 +182,7 @@ function start() { phishingSafelistStream.write({ jsonrpc: '2.0', method: 'safelistPhishingDomain', - params: [suspectOrigin], + params: [suspectHref], id: createRandomId(), }); From f6e86de534e267dde72edfcc2c0def6e86117dac Mon Sep 17 00:00:00 2001 From: imblue-dabadee Date: Tue, 23 Sep 2025 20:21:40 -0500 Subject: [PATCH 2/3] test: sends full href --- tests/bypass.spec.ts | 51 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 50 insertions(+), 1 deletion(-) diff --git a/tests/bypass.spec.ts b/tests/bypass.spec.ts index 65df2e4..ec58ac4 100644 --- a/tests/bypass.spec.ts +++ b/tests/bypass.spec.ts @@ -24,7 +24,56 @@ test('allows the user to bypass the warning and add the site origin to the allow id: expect.any(Number), jsonrpc: '2.0', method: 'safelistPhishingDomain', - params: ['https://test.com'], + params: ['https://test.com/'], + }, + name: 'metamask-phishing-safelist', + }); +}); + +test('allows the user to bypass the warning with URL path and sends full href', async ({ + page, +}) => { + const postMessageLogs = await setupStreamInitialization(page); + const testUrl = 'https://test-phishing-domain.invalid/path'; + const hashParams = new URLSearchParams({ + href: testUrl, + }); + + await page.goto(`/#${hashParams}`); + await page.locator('css=#unsafe-continue').click(); + + await expect(postMessageLogs.length).toBe(1); + await expect(postMessageLogs[0].message).toStrictEqual({ + data: { + id: expect.any(Number), + jsonrpc: '2.0', + method: 'safelistPhishingDomain', + params: [testUrl], + }, + name: 'metamask-phishing-safelist', + }); +}); + +test('allows bypass with complex URL including query parameters and fragments', async ({ + page, +}) => { + const postMessageLogs = await setupStreamInitialization(page); + const complexUrl = + 'https://test-complex.invalid/path?param=value&other=test#section'; + const hashParams = new URLSearchParams({ + href: complexUrl, + }); + + await page.goto(`/#${hashParams}`); + await page.locator('css=#unsafe-continue').click(); + + await expect(postMessageLogs.length).toBe(1); + await expect(postMessageLogs[0].message).toStrictEqual({ + data: { + id: expect.any(Number), + jsonrpc: '2.0', + method: 'safelistPhishingDomain', + params: [complexUrl], }, name: 'metamask-phishing-safelist', }); From 3a032951b24a985d3b81d4b2592b59f0cdf44b8c Mon Sep 17 00:00:00 2001 From: imblue-dabadee Date: Tue, 23 Sep 2025 20:29:25 -0500 Subject: [PATCH 3/3] chore: remove unused var --- src/index.ts | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/src/index.ts b/src/index.ts index 7cbdcff..f5239e9 100644 --- a/src/index.ts +++ b/src/index.ts @@ -142,12 +142,8 @@ function start() { const hashContents = hash.slice(1); // drop leading '#' from hash const hashQueryString = new URLSearchParams(hashContents); - const { - suspectHref, - suspectHostnameUnicode, - suspectHrefUnicode, - suspectOrigin, - } = getSuspect(hashQueryString.get('href')); + const { suspectHref, suspectHostnameUnicode, suspectHrefUnicode } = + getSuspect(hashQueryString.get('href')); const suspectLink = document.getElementById('suspect-link'); if (!suspectLink) {