All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Redesign UI of the phishing warning page (#176)
- BREAKING: Update
phishingSafelistStreamto sendorigininstead ofhostnameas a parameter forsafelistPhishingDomainmethod (#165)
- Update index.html - update attribution copy (#161)
- chore(devdeps): @lavamoat/allow-scripts@^2.3.1->^3.0.4 (#157)
- Enabling MetaMask security code scanner (#151)
- remove globalthis polyfill (#149)
- Bump @metamask/post-message-stream from 7.0.0 to 8.0.0 (#146)
- Update
sestov1.1.0(#143)
- change to hostname for Github issues (#127)
- Using href url param only for suspect site (#124)
- BREAKING: Increase minimum Node.js version to 16 (#107)
- BREAKING: This package now returns streams conforming to the API of [email protected]. (#122) (#104)
- Bump ses from ^0.18.7 to ^0.18.8 (#120)
- Dependency updates (#105)
- Move @types/punycode from dependencies to devDependencies
- Update @metamask/design-tokens from ^1.6.0 to ^1.12.0
- Update @metamask/post-message-stream from ^6.0.0 to ^6.2.0
- Update punycode from ^2.1.1 to ^2.3.0
- Update ses from ^0.18.1 to ^0.18.7
- "Back to safety" button now triggers a
backToSafetyPhishingWarningmessage to be sent on thephishingSafelistStream(#84)
- Restore iframe warning and "open in new tab" link (#73)
- BREAKING: Dynamically lookup the source of a block (#57)
- The query parameter
newIssueUrlis no longer accepted. Instead this page will look up the source of a block dynamically. - We no longer show on the page which project is responsible for the block. This will be restored in a future version.
- The query parameter
- Redesign the phishing warning page (#52)
- Update
sesversion from v0.12.4 to v10.18.1 (#53) - Update @metamask/design-tokens from 1.9.0 to 1.11.1 (#46)
- This includes minor color updates.
- Fix build script to exclude file imports from
@metamask/post-message-streamwhich expect to only run in the context of a Web worker (#27)
1.2.0 [DEPRECATED]
- Add a check for the protocol of the url being blocked. Remove
continue at your own riskoption if protocol is disallowed (#16) - Add optional arg
newIssueUrltogetUrlfunction so that the correct link to direct disputes can be specified by a hash query param. (#23)
- Add service worker for offline caching (#9)
- Add favicons (#8)
- Add actions to publish to gh-pages (#3)
- Add dummy "main" script (#6)
- This allows locating the package install directory using
require.resolve, which is better for compatibility between package managers. - The main script throws an error, helping to prevent accidental misuse.
- This allows locating the package install directory using
- Skip initialization if the page is being loaded solely to install the service worker (#11)
- If the hash
#extensionStartupis set, skip setup and assume the page is being loaded just for service worker installation. We use this technique to ensure the service worker is installed during the MetaMask extension startup process.
- If the hash
- Add anti-clickjacking measures (#12)
- A script was added to the HTML file to detect when the frame is being embedded. If it detects that it is embedded, a separate design is used that prompts the user to open the warning page in a new tab to proceed. This ensures the blocked page cannot be added to the safelist via a clickjacking attack.
- Initial implementation of the phishing warning page
- This should behave identically to the phishing warning page built into the MetaMask extension.