fix: use hostname to check against allowlist #4645
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Explanation
The current implementation of the
PhishingController
uses the full origin (Punycode encoded) to check against the allowlist. This approach has limitations when dealing with subdomains or variations in the URL structure, which could lead to inconsistent results or false negatives.The changes introduced in this PR address these issues by extracting the hostname from the origin and checking the allowlist against this hostname instead of the full origin. This ensures that variations in the URL structure do not prevent legitimate domains from being correctly recognized as safe.
Specifically, this PR:
test
,isBlockedRequest
, andbypass
methods to use the hostname for allowlist checks.getHostnameFromUrl
, which extracts the hostname from a given URL. This function is now used across thePhishingController
to standardize how hostnames are derived from origins.These changes ensure that domains are properly validated against the allowlist regardless of URL variations.
References
Changelog
@metamask/phishing-controller
test
,isBlockedRequest
, andbypass
methods to use the hostname for allowlist checks instead of the full origin.getHostnameFromUrl
utility function to standardize hostname extraction from URLs.Checklist