New design for phishing warning page #52
Conversation
There was a problem hiding this comment.
Hey @aleksandar-mihajlovic, nice work matching the Figma design but I think it breaks some of the MetaMask design system conventions that I think should be resolved before this get's merged.
Hey @holantonela, I've left some comments in the Figma file https://www.figma.com/file/MKJnCnI8Xi2EVcRCNAHwOu?node-id=4:49#355806441
|
Verified by QA |
|
@georgewrmarshall commented in the figma. Someone introduced that change, but i bet it was a click error. Please, @aleksandar-mihajlovic lets remove the border and the shadow of the title. Thank you! |
There was a problem hiding this comment.
Looking good! Have made one more suggestion. Thanks for your patience @aleksandar-mihajlovic 🙏
static/index.html
Outdated
| </p> | ||
| </br> | ||
| <p>Advisory provided by Ethereum Phishing Detector, CryptoScamDB, and PhishFort.</p> |
There was a problem hiding this comment.
This list should be dynamic. We should expose ONLY the sources who are flagging the current URL @aleksandar-mihajlovic @dzfjz
There was a problem hiding this comment.
Well, as I understand, these websites are not scam websites, they are websites that give users info about how to avoid phishing, so they don't need to be listed dynamically. Am I wrong?
And about source that is scam website, the link will be shown in this sentence:
Potential threats on {someWebsite} include:
but i cannot demo it, because i cannot build the project and connect with extension to test it out, but website link will be there once it goes to production.
@holantonela
There was a problem hiding this comment.
To do so, we need to add a query string in the PhishingController to say which list flagged it. cc @409H
There was a problem hiding this comment.
I am not sure that I understand what I need to do here, because i am not sure what i am doing wrong, if you could explain it to me
There was a problem hiding this comment.
This is the point 2 in the Acceptance Criteria
- Users can read the attribution to who flagged the domain, probably passed to that page with a query string.
There was a problem hiding this comment.
@409H I currently implemented logic to detect through current query string, I would say that I found a decent solution for now, but in future when other detect repo's are added, this logic should be updated too, if that is okay?
There was a problem hiding this comment.
@409H thanks for linking that, I had failed to consider this requirement when reviewing a cost-saving change to how we poll for the phishing list. Unfortunately this information will no longer be available after that change because we're now combining all lists into one to save on network bandwidth.
Still, we can fulfill this requirement without that data by checking on-demand after a user chooses to dispute a block. Tomorrow I will create a separate issue detailing how this needs to change.
There was a problem hiding this comment.
@aleksandar-mihajlovic My apologies, I hadn't looked closely at this PR when I left my first comment.
I don't think we need the onload function you added for this, because that same logic is already handled by index.ts. It was implemented here: #23. We pass in a custom dispute URL if a site is blocked by Phishfort, otherwise we default to ours. As long as that newIssueUrl continues to be set dynamically on this link, no change to this behavior is needed here.
There was a problem hiding this comment.
@Gudahtt Okay, i removed that part of the code for linking on the onload function, and returned to the old state like you mentioned, is it okay now?
There was a problem hiding this comment.
Thanks @aleksandar-mihajlovic , yes this thread looks resolved now
|
@georgewrmarshall can you check the attached gif, is the button okay now? I used the Button Secondary as mentioned in Figma. |
There was a problem hiding this comment.
Looking good! I've created another PR with some more CSS suggestions #55 that you can review and merge into this PR if you think they are acceptable.
|
I have added the CSS code that you suggested @georgewrmarshall if you can check it out. |
static/index.html
Outdated
| safety. As always, your transactions are your own responsibility. <span id="redirect-warning-message">If | ||
| you wish to interact with any domain on our warning list, you can do | ||
| so by <a id="unsafe-continue">continuing at your own risk</a>.</span> | ||
| MetaMask flagged the site you're trying to visit as potentially deceptive. Attackers may trick you into doing something dangerous. <a id="csdbLink" href='' onclick="window.open('https://cryptoscamdb.org/search')">Learn more</a> |
There was a problem hiding this comment.
this call unsafely allows reverse tab nabbing attacks (read more here) - please fix by adding attribute rel="noopener"
There was a problem hiding this comment.
also, why use onclick and open when you have the default behaviour of an anchor element?
<a id="csdbLink" rel="noopener" href='https://cryptoscamdb.org/search' target='_blank'">Learn more</a>
There was a problem hiding this comment.
Okay no problem, if it is making security problems, i will changed it right now, you can look at it, if it is okay. @weizman
|
can we make sure that whatever ends up going to prod, we make the attribution prominent and point them towards the correct contributor to raise an issue? |
Yes @AlexHerman1, we discussed it here |
| @@ -11,6 +11,17 @@ | |||
| document.getElementById('antiClickjack').innerHTML = | |||
| '#content__framed-body { display: none !important; }'; | |||
| } | |||
|
|
|||
| window.onload = function() { | |||
| document.getElementById("suspect-link").innerText = document.referrer; | |||
There was a problem hiding this comment.
Nit: Could you move this code to the start function in src/index.ts? That is where all of our other "page initialization" code is.
This test was recently removed in #52 due to a change on that PR that was since undone. It is still relevant, so it has been restored.
This test was recently removed in #52 due to a change on that PR that was since undone. It is still relevant, so it has been restored.
The "Open in new tab" link that we show on the warning page when it's rendered in an iframe was accidentally removed in #52. We need to preserve this button so that users can better understand why their iframe'd page is blocked, and so they can dispute or bypass the block if necessary.
The "Open in new tab" link that we show on the warning page when it's rendered in an iframe was accidentally removed in #52. We need to preserve this button so that users can better understand why their iframe'd page is blocked, and so they can dispute or bypass the block if necessary.
Explanation
Added new design for phishing warning page according to figma design.
Screenshots/Screencaps
Before
After
Manual Testing Steps
Production testing:
Local testing: