browser: do not resolve any .top domains

We mark any url with ".top" in it as not secure in the browser and an explicit condition is added in resolve-url to not resolve any urls that contain the ".top" in their urls. We've been seeing lots of reports within the status community where people are scammed by malicious entities on telegram/whatsapp and they are being told to open these urls on status browser which in turn asks them to link their wallet to access the website. This commit is not a proper fix but a temporary solution to stop these scammers. A more robust solution would be to integrate with an open source phishing url detector.
2023-06-29 08:20:40 +05:30 · 2023-06-29 08:20:40 +05:30 · 7958bf189c
parent 61660128fd
commit 7958bf189c
1 changed files with 11 additions and 9 deletions
--- a/src/status_im/browser/core.cljs
+++ b/src/status_im/browser/core.cljs
@ -44,7 +44,7 @@
  (or dapp?
      (and (not error?)
           (when url
-             (string/starts-with? url "https://")))))
+             (and (string/starts-with? url "https://") (string/includes? url ".top"))))))

 (fx/defn remove-browser
  {:events [:browser.ui/remove-browser-pressed]}
@ -78,14 +78,16 @@
 (fx/defn resolve-url
  [{:keys [db]} {:keys [error? resolved-url]}]
  (when (not error?)
-    (let [current-url (get-current-url (get-current-browser db))
-          host (http/url-host current-url)]
-      (if (and (not resolved-url) (ens/is-valid-eth-name? host))
-        {:db                            (update db :browser/options assoc :resolving? true)
-         :browser/resolve-ens-contenthash {:chain-id (ethereum/chain-id db)
-                                           :ens-name host
-                                           :cb       resolve-ens-contenthash-callback}}
-        {:db (update db :browser/options assoc :url (or resolved-url current-url) :resolving? false)}))))
+        (let [current-url   (get-current-url (get-current-browser db))
+              contains-top? (string/includes? current-url ".top")
+              host          (http/url-host current-url)]
+          (when (not contains-top?)
+                (if (and  (not resolved-url) (ens/is-valid-eth-name? host))
+                  {:db                            (update db :browser/options assoc :resolving? true)
+                   :browser/resolve-ens-contenthash {:chain-id (ethereum/chain-id db)
+                                                     :ens-name host
+                                                     :cb       resolve-ens-contenthash-callback}}
+                  {:db (update db :browser/options assoc :url (or resolved-url current-url) :resolving? false)})))))

 (fx/defn update-browser
  [{:keys [db]}