status-im
/
status-mobile
mirror of https://github.com/status-im/status-mobile.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

browser: do not resolve any .top domains 

We mark any url with ".top" in it as not secure in the browser and an explicit condition is added in resolve-url to not resolve any urls that contain the ".top" in their urls.

We've been seeing lots of reports within the status community where people are scammed by malicious entities on telegram/whatsapp and they are being told to open these urls on status browser which in turn asks them to link their wallet to access the website.

This commit is not a proper fix but a temporary solution to stop these scammers. A more robust solution would be to integrate with an open source phishing url detector.
This commit is contained in:
Siddarth Kumar 2023-06-29 08:20:40 +05:30
parent 61660128fd
commit 7958bf189c
No known key found for this signature in database
GPG Key ID: F84DB2CA5207F534
1 changed files with 11 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/status_im/browser/core.cljs
View File

@ -44,7 +44,7 @@
(or dapp? (or dapp?
(and (not error?) (and (not error?)
(when url (when url
(string/starts-with? url "https://"))))) (and (string/starts-with? url "https://") (string/includes? url ".top"))))))
(fx/defn remove-browser (fx/defn remove-browser
{:events [:browser.ui/remove-browser-pressed]} {:events [:browser.ui/remove-browser-pressed]}
@ -78,14 +78,16 @@
(fx/defn resolve-url (fx/defn resolve-url
[{:keys [db]} {:keys [error? resolved-url]}] [{:keys [db]} {:keys [error? resolved-url]}]
(when (not error?) (when (not error?)
(let [current-url (get-current-url (get-current-browser db)) (let [current-url (get-current-url (get-current-browser db))
host (http/url-host current-url)] contains-top? (string/includes? current-url ".top")
(if (and (not resolved-url) (ens/is-valid-eth-name? host)) host (http/url-host current-url)]
{:db (update db :browser/options assoc :resolving? true) (when (not contains-top?)
:browser/resolve-ens-contenthash {:chain-id (ethereum/chain-id db) (if (and (not resolved-url) (ens/is-valid-eth-name? host))
:ens-name host {:db (update db :browser/options assoc :resolving? true)
:cb resolve-ens-contenthash-callback}} :browser/resolve-ens-contenthash {:chain-id (ethereum/chain-id db)
{:db (update db :browser/options assoc :url (or resolved-url current-url) :resolving? false)})))) :ens-name host
:cb resolve-ens-contenthash-callback}}
{:db (update db :browser/options assoc :url (or resolved-url current-url) :resolving? false)})))))
(fx/defn update-browser (fx/defn update-browser
[{:keys [db]} [{:keys [db]}