Bug 399233 - "Phishing UI hidden by content, inconsistent with malware" [p=johnath r=tony r=biesi ui-r=beltzner a=blocking-firefox3+ for M9]

This commit is contained in:
reed@reedloden.com 2007-10-29 11:29:14 -07:00
Родитель 78055c441c
Коммит 8850553178
18 изменённых файлов: 326 добавлений и 64 удалений

Просмотреть файл

@ -539,6 +539,10 @@ pref("browser.safebrowsing.provider.0.reportPhishURL", "http://{moz:locale}.phis
// FAQ URL
pref("browser.safebrowsing.warning.infoURL", "http://%LOCALE%.www.mozilla.com/%LOCALE%/firefox/phishing-protection/");
// Name of the about: page contributed by safebrowsing to handle display of error
// pages on phishing/malware hits. (bug 399233)
pref("urlclassifier.alternate_error_page", "blocked");
#endif
// defaults to true

Просмотреть файл

@ -38,8 +38,8 @@
var gDataProvider = null;
// An instance of our application is a PROT_Application object. It
// basically just populates a few globals and instantiates wardens and
// the listmanager.
// basically just populates a few globals and instantiates wardens,
// the listmanager, and the about:blocked error page.
/**
* An instance of our application. There should be exactly one of these.
@ -100,3 +100,30 @@ function PROT_Application() {
PROT_Application.prototype.getReportURL = function(name) {
return gDataProvider["getReport" + name + "URL"]();
}
/**
* about:blocked implementation
*/
PROT_Application.prototype.newChannel = function(uri) {
var ioService = Cc["@mozilla.org/network/io-service;1"]
.getService(Ci.nsIIOService);
var childURI = ioService.newURI("chrome://browser/content/safebrowsing/blockedSite.xhtml",
null, null);
var channel = ioService.newChannelFromURI(childURI);
channel.originalURI = uri;
return channel;
}
PROT_Application.prototype.getURIFlags = function(uri) {
return Ci.nsIAboutModule.ALLOW_SCRIPT;
}
PROT_Application.prototype.QueryInterface = function(iid) {
if (iid.equals(Ci.nsISupports) ||
iid.equals(Ci.nsIAboutModule))
return this;
Components.returnCode = Components.results.NS_ERROR_NO_INTERFACE;
return null;
}

Просмотреть файл

@ -0,0 +1,210 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html [
<!ENTITY % htmlDTD PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd">
%htmlDTD;
<!ENTITY % globalDTD SYSTEM "chrome://global/locale/global.dtd">
%globalDTD;
<!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
%brandDTD;
<!ENTITY % blockedSiteDTD SYSTEM "chrome://browser/locale/safebrowsing/phishing-afterload-warning-message.dtd">
%blockedSiteDTD;
]>
<!-- ***** BEGIN LICENSE BLOCK *****
- Version: MPL 1.1/GPL 2.0/LGPL 2.1
-
- The contents of this file are subject to the Mozilla Public License Version
- 1.1 (the "License"); you may not use this file except in compliance with
- the License. You may obtain a copy of the License at
- http://www.mozilla.org/MPL/
-
- Software distributed under the License is distributed on an "AS IS" basis,
- WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
- for the specific language governing rights and limitations under the
- License.
-
- The Original Code is mozilla.org code.
-
- The Initial Developer of the Original Code is
- Netscape Communications Corporation.
- Portions created by the Initial Developer are Copyright (C) 1998
- the Initial Developer. All Rights Reserved.
-
- Contributor(s):
- Adam Lock <adamlock@netscape.com>
- William R. Price <wrprice@alumni.rice.edu>
- Henrik Skupin <mozilla@hskupin.info>
- Jeff Walden <jwalden+code@mit.edu>
- Johnathan Nightingale <johnath@mozilla.com>
-
- Alternatively, the contents of this file may be used under the terms of
- either the GNU General Public License Version 2 or later (the "GPL"), or
- the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
- in which case the provisions of the GPL or the LGPL are applicable instead
- of those above. If you wish to allow use of your version of this file only
- under the terms of either the GPL or the LGPL, and not to allow others to
- use your version of this file under the terms of the MPL, indicate your
- decision by deleting the provisions above and replace them with the notice
- and other provisions required by the LGPL or the GPL. If you do not delete
- the provisions above, a recipient may use your version of this file under
- the terms of any one of the MPL, the GPL or the LGPL.
-
- ***** END LICENSE BLOCK ***** -->
<html xmlns="http://www.w3.org/1999/xhtml" class="blacklist">
<head>
<link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
<link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blacklist_favicon.png"/>
<script type="application/javascript" src="chrome://global/content/strres.js"/>
<script type="application/javascript"><![CDATA[
// Error url MUST be formatted like this:
// about:blocked?e=error_code&u=url
// Note that this file uses document.documentURI to get
// the URL (with the format from above). This is because
// document.location.href gets the current URI off the docshell,
// which is the URL displayed in the location bar, i.e.
// the URI that the user attempted to load.
function getErrorCode()
{
var url = document.documentURI;
var error = url.search(/e\=/);
var duffUrl = url.search(/\&u\=/);
return decodeURIComponent(url.slice(error + 2, duffUrl));
}
function getURL()
{
var url = document.documentURI;
var index = url.search(/u\=/);
// index == -1 if not found; if so, return an empty string
// instead of what would turn out to be portions of the URI
if (index == -1)
return "";
return decodeURIComponent(url.slice(index + 2));
}
/**
* Attempt to parse the result of getURL and extract a hostname. Fail back
* to getURL so that we always return something meaningful.
*/
function getHostString()
{
var ios = Components.classes["@mozilla.org/network/io-service;1"]
.getService(Components.interfaces.nsIIOService);
var url = getURL();
try {
return ios.newURI(url, null, null).host;
} catch (e) {
return url;
}
}
// Elements that tend to need content set
var errorTitleText, errorShortDescText, errorLongDesc, errorLongDescText;
// The string bundles managing strings for various blocked page scenarios
var sb = srGetStrBundle("chrome://browser/locale/safebrowsing/blockedSite.properties");
var brandBundle = srGetStrBundle("chrome://branding/locale/brand.properties");
var brandShortName = brandBundle.GetStringFromName("brandShortName");
function initPage()
{
// Set up the cached elements
errorTitleText = document.getElementById("errorTitleText");
errorShortDescText = document.getElementById("errorShortDescText");
errorLongDesc = document.getElementById("errorLongDesc");
errorLongDescText = document.getElementById("errorLongDescText");
// Handoff to the appropriate initializer, based on error code
switch(getErrorCode()) {
case "malwareBlocked" :
initPage_malware();
break;
case "phishingBlocked" :
initPage_phishing();
break;
}
}
/**
* Initialize custom strings and functionality for blocked malware case
*/
function initPage_malware()
{
document.title = sb.GetStringFromName("malware.title");
errorTitleText.textContent = document.title;
errorShortDescText.textContent = sb.formatStringFromName("malware.shortDesc",
[getHostString()], 1);
errorLongDesc.innerHTML = sb.GetStringFromName("malware.longDesc");
}
/**
* Initialize custom strings and functionality for blocked phishing case
*/
function initPage_phishing()
{
document.title = sb.GetStringFromName("phishing.title");
errorTitleText.textContent = document.title;
errorShortDescText.textContent = sb.formatStringFromName("phishing.shortDesc",
[getHostString()], 1);
var longDesc = sb.GetStringFromName("phishing.longDesc");
// If we have a more-info link for the phishing information, add it in,
// otherwise just use the generic text
var faqURL = Components.classes["@mozilla.org/toolkit/URLFormatterService;1"]
.getService(Components.interfaces.nsIURLFormatter)
.formatURLPref("browser.safebrowsing.warning.infoURL");
if(faqURL && faqURL != "about:blank") {
longDesc += sb.formatStringFromName("phishing.learnMoreLink",
[brandShortName], 1);
errorLongDesc.innerHTML = longDesc;
document.getElementById("faqLink").setAttribute("href", faqURL);
}
else
errorLongDesc.innerHTML = longDesc;
}
]]></script>
</head>
<body dir="&locale.dir;">
<div id="errorPageContainer">
<!-- Error Title -->
<div id="errorTitle">
<h1 id="errorTitleText" />
</div>
<div id="errorLongContent">
<!-- Short Description -->
<div id="errorShortDesc">
<p id="errorShortDescText" />
</div>
<!-- Long Description -->
<div id="errorLongDesc">
<p id="errorLongDescText" />
</div>
<!-- Action buttons -->
<div id="buttons">
<xul:button xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
id="getMeOutButton" label="&safeb.palm.accept.label;" oncommand="window.home();" />
</div>
</div>
</div>
<!--
- Note: It is important to run the script this way, instead of using
- an onload handler. This is because error pages are loaded as
- LOAD_BACKGROUND, which means that onload handlers will not be executed.
-->
<script type="application/javascript">initPage();</script>
</body>
</html>

Просмотреть файл

@ -64,6 +64,13 @@ function PROT_MalwareWarden() {
"a:1:" + testData.length + "\n" +
testData +
"\n";
testData = "mozilla.com/firefox/its-a-trap.html";
testUpdate +=
"n:1000\ni:test-phish-simple\nad:1\n" +
"a:1:" + testData.length + "\n" +
testData +
"\n";
var dbService_ = Cc["@mozilla.org/url-classifier/dbservice;1"]
.getService(Ci.nsIUrlClassifierDBService);

Просмотреть файл

@ -532,26 +532,7 @@ PROT_PhishMsgDisplayerCanvas.inherits(PROT_PhishMsgDisplayerBase);
* Displays the warning message. First we make sure the overlay is loaded
* then call showMessageAfterOverlay_.
*/
PROT_PhishMsgDisplayerCanvas.prototype.showMessage_ = function() {
G_Debug(this, "Showing message.");
// Load the overlay if we haven't already.
var dimmer = this.doc_.getElementById('safebrowsing-dim-area-canvas');
if (!dimmer) {
var onOverlayMerged = BindToObject(this.showMessageAfterOverlay_,
this);
var observer = new G_ObserverWrapper("xul-overlay-merged",
onOverlayMerged);
this.doc_.loadOverlay(
"chrome://browser/content/safebrowsing/warning-overlay.xul",
observer);
} else {
// The overlay is already loaded so we go ahead and call
// showMessageAfterOverlay_.
this.showMessageAfterOverlay_();
}
}
PROT_PhishMsgDisplayerCanvas.prototype.showMessage_ = function() { }
/**
* This does the actual work of showing the warning message.
@ -678,34 +659,7 @@ PROT_PhishMsgDisplayerCanvas.prototype.isVisibleElement_ = function(elt) {
/**
* Hide the warning message from the user.
*/
PROT_PhishMsgDisplayerCanvas.prototype.hideMessage_ = function() {
G_Debug(this, "Hiding phishing warning.");
G_Assert(this, this.messageShowing_, "Hide message called but not showing?");
this.messageShowing_ = false;
this.repainter_.cancel();
this.repainter_ = null;
// Hide the warning popup.
var message = this.doc_.getElementById(this.messageId_);
message.hidden = true;
message.style.display = "none";
var content = this.doc_.getElementById(this.messageContentId_);
content.style.height = "";
content.style.overflow = "";
var tail = this.doc_.getElementById(this.messageTailId_);
tail.hidden = true;
tail.style.display = "none";
// Remove the canvas element from the chrome document.
var pageCanvas = this.doc_.getElementById(this.pageCanvasId_);
pageCanvas.parentNode.removeChild(pageCanvas);
// Hide the dimmer.
var dimarea = this.doc_.getElementById(this.dimAreaId_);
dimarea.hidden = true;
}
PROT_PhishMsgDisplayerCanvas.prototype.hideMessage_ = function() { }
/**

Просмотреть файл

@ -3,4 +3,5 @@ browser.jar:
* content/browser/safebrowsing/sb-loader.js (content/sb-loader.js)
+ content/browser/safebrowsing/warning-overlay.xul (content/warning-overlay.xul)
+ content/browser/safebrowsing/report-phishing-overlay.xul (content/report-phishing-overlay.xul)
+ content/browser/safebrowsing/blockedSite.xhtml (content/blockedSite.xhtml)
% overlay chrome://browser/content/browser.xul chrome://browser/content/safebrowsing/report-phishing-overlay.xul

Просмотреть файл

@ -61,6 +61,13 @@ SafebrowsingApplicationMod.prototype.registerSelf = function(compMgr, fileSpec,
fileSpec,
loc,
type);
compMgr.registerFactoryLocation(this.cid,
"UrlClassifier Blocked Error Page",
"@mozilla.org/network/protocol/about;1?what=blocked",
fileSpec,
loc,
type);
};
SafebrowsingApplicationMod.prototype.getClassObject = function(compMgr, cid, iid) {

Просмотреть файл

@ -0,0 +1,11 @@
malware.title=Suspected Attack Site!
malware.shortDesc=The web site at %S has been reported as an attack site, and has been blocked based on your security preferences.
malware.longDesc=<p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p>\n<p>Web site owners who believe their site has been reported as an attack site in error may <a href='http://www.stopbadware.org/home/reviewinfo' >request a review</a>.</p>
phishing.title=Suspected Web Forgery!
phishing.shortDesc=The web site at %S has been reported as a web forgery designed to trick users into sharing personal or financial information.
phishing.longDesc=<p>Entering any personal information on this page may result in identity theft or other fraud.</p><p>These types of web forgeries are used in scams known as phishing attacks, in which fraudulent web pages and emails are used to imitate sources you may trust.</p>
# Localization note (phishing.learnMoreLink): please leave the <a id="faqLink" href=""> text
# as-is. A localized href is pulled in from user preferences automatically.
phishing.learnMoreLink=<p>You can find out more about <a id="faqLink" href="">how %S protects you</a> from phishing attacks.</p>

Просмотреть файл

@ -60,3 +60,4 @@ externalProtocolUnknown=<Unknown>
externalProtocolChkMsg=Remember my choice for all links of this type.
externalProtocolLaunchBtn=Launch application
malwareBlocked=The site at %S has been reported as an attack site and has been blocked based on your security preferences.
phishingBlocked=The web site at %S has been reported as a web forgery designed to trick users into sharing personal or financial information.

Просмотреть файл

@ -140,3 +140,9 @@
<p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p>
<p>Web site owners who believe their site has been reported as an attack site in error may <a href='http://www.stopbadware.org/home/reviewinfo' >request a review</a>.</p>
">
<!ENTITY phishingBlocked.title "Suspected Web Forgery!">
<!ENTITY phishingBlocked.longDesc "
<p>Entering any personal information on this page may result in identity theft or other fraud.</p>
<p>These types of web forgeries are used in scams known as phishing attacks, in which fraudulent web pages and emails are used to imitate sources you may trust.</p>
">

Просмотреть файл

@ -37,6 +37,7 @@
#ifdef MOZ_SAFE_BROWSING
locale/browser/safebrowsing/phishing-afterload-warning-message.dtd (%chrome/browser/safebrowsing/phishing-afterload-warning-message.dtd)
locale/browser/safebrowsing/report-phishing.dtd (%chrome/browser/safebrowsing/report-phishing.dtd)
locale/browser/safebrowsing/blockedSite.properties (%chrome/browser/safebrowsing/blockedSite.properties)
#endif
locale/browser/feeds/subscribe.dtd (%chrome/browser/feeds/subscribe.dtd)
locale/browser/feeds/subscribe.properties (%chrome/browser/feeds/subscribe.properties)

Просмотреть файл

@ -2853,6 +2853,9 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
nsresult rv = NS_OK;
nsAutoString messageStr;
nsCAutoString cssClass;
nsCAutoString errorPage;
errorPage.AssignLiteral("neterror");
// Turn the error code into a human readable error message.
if (NS_ERROR_UNKNOWN_PROTOCOL == aError) {
@ -2947,6 +2950,25 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
}
if (!messageStr.IsEmpty())
error.AssignLiteral("nssFailure2");
} else if (NS_ERROR_PHISHING_URI == aError || NS_ERROR_MALWARE_URI == aError) {
nsCAutoString host;
aURI->GetHost(host);
CopyUTF8toUTF16(host, formatStrs[0]);
formatStrCount = 1;
// Malware and phishing detectors may want to use an alternate error
// page, but if the pref's not set, we'll fall back on the standard page
nsXPIDLCString alternateErrorPage;
mPrefs->GetCharPref("urlclassifier.alternate_error_page",
getter_Copies(alternateErrorPage));
if (alternateErrorPage)
errorPage.Assign(alternateErrorPage);
if (NS_ERROR_PHISHING_URI == aError)
error.AssignLiteral("phishingBlocked");
else
error.AssignLiteral("malwareBlocked");
cssClass.AssignLiteral("blacklist");
}
else {
// Errors requiring simple formatting
@ -2993,15 +3015,6 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
// Bad Content Encoding.
error.AssignLiteral("contentEncodingError");
break;
case NS_ERROR_MALWARE_URI:
nsCAutoString host;
aURI->GetHost(host);
CopyUTF8toUTF16(host, formatStrs[0]);
formatStrCount = 1;
error.AssignLiteral("malwareBlocked");
cssClass.AssignLiteral("blacklist");
break;
}
}
@ -3042,8 +3055,8 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
// URI object. Missing URI objects are handled badly by session history.
if (mUseErrorPages && aURI && aFailedChannel) {
// Display an error page
LoadErrorPage(aURI, aURL, error.get(), messageStr.get(),
cssClass.get(), aFailedChannel);
LoadErrorPage(aURI, aURL, errorPage.get(), error.get(),
messageStr.get(), cssClass.get(), aFailedChannel);
}
else
{
@ -3066,6 +3079,7 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
NS_IMETHODIMP
nsDocShell::LoadErrorPage(nsIURI *aURI, const PRUnichar *aURL,
const char *aErrorPage,
const PRUnichar *aErrorType,
const PRUnichar *aDescription,
const char *aCSSClass,
@ -3135,7 +3149,9 @@ nsDocShell::LoadErrorPage(nsIURI *aURI, const PRUnichar *aURL,
char *escapedDescription = nsEscape(NS_ConvertUTF16toUTF8(aDescription).get(), url_Path);
char *escapedCSSClass = nsEscape(aCSSClass, url_Path);
nsCString errorPageUrl("about:neterror?e=");
nsCString errorPageUrl("about:");
errorPageUrl.AppendASCII(aErrorPage);
errorPageUrl.AppendLiteral("?e=");
errorPageUrl.AppendASCII(escapedError);
errorPageUrl.AppendLiteral("&u=");

Просмотреть файл

@ -404,7 +404,8 @@ protected:
const PRUnichar *aURL,
nsIChannel* aFailedChannel = nsnull);
NS_IMETHOD LoadErrorPage(nsIURI *aURI, const PRUnichar *aURL,
const PRUnichar *aPage,
const char *aErrorPage,
const PRUnichar *aErrorType,
const PRUnichar *aDescription,
const char *aCSSClass,
nsIChannel* aFailedChannel);

Просмотреть файл

@ -1195,6 +1195,7 @@ nsresult nsWebShell::EndPageLoad(nsIWebProgress *aProgress,
aStatus == NS_ERROR_NET_INTERRUPT ||
aStatus == NS_ERROR_NET_RESET ||
aStatus == NS_ERROR_MALWARE_URI ||
aStatus == NS_ERROR_PHISHING_URI ||
NS_ERROR_GET_MODULE(aStatus) == NS_ERROR_MODULE_SECURITY) {
DisplayLoadError(aStatus, url, nsnull, channel);
}

Просмотреть файл

@ -60,3 +60,4 @@ externalProtocolUnknown=<Unknown>
externalProtocolChkMsg=Remember my choice for all links of this type.
externalProtocolLaunchBtn=Launch application
malwareBlocked=The site at %S has been reported as an attack site and has been blocked based on your security preferences.
phishingBlocked=The web site at %S has been reported as a web forgery designed to trick users into sharing personal or financial information.

Просмотреть файл

@ -59,3 +59,9 @@
<p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p>
<p>Web site owners who believe their site has been reported as an attack site in error may <a href='http://www.stopbadware.org/home/reviewinfo' >request a review</a>.</p>
">
<!ENTITY phishingBlocked.title "Suspected Web Forgery!">
<!ENTITY phishingBlocked.longDesc "
<p>Entering any personal information on this page may result in identity theft or other fraud.</p>
<p>These types of web forgeries are used in scams known as phishing attacks, in which fraudulent web pages and emails are used to imitate sources you may trust.</p>
">

Просмотреть файл

@ -2107,6 +2107,13 @@ nsUrlClassifierClassifyCallback::HandleEvent(const nsACString& tables)
tables.EndReading(end);
if (FindInReadable(NS_LITERAL_CSTRING("-malware-"), begin, end)) {
response = NS_ERROR_MALWARE_URI;
} else {
// Reset begin before checking phishing table
tables.BeginReading(begin);
if (FindInReadable(NS_LITERAL_CSTRING("-phish-"), begin, end)) {
response = NS_ERROR_PHISHING_URI;
}
}
mCallback->OnClassifyComplete(response);

Просмотреть файл

@ -93,9 +93,10 @@ protected:
};
/**
* The load has been cancelled because it was found on a malware blacklist.
* The load has been cancelled because it was found on a malware or phishing blacklist.
* XXX: this belongs in an nsDocShellErrors.h file of some sort.
*/
#define NS_ERROR_MALWARE_URI NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_URILOADER, 30)
#define NS_ERROR_PHISHING_URI NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_URILOADER, 31)
#endif /* nsURILoader_h__ */