From 88505531780e8d7352832c5fd75415bc81363750 Mon Sep 17 00:00:00 2001
From: "reed@reedloden.com" <reed@reedloden.com>
Date: Mon, 29 Oct 2007 11:29:14 -0700
Subject: [PATCH] Bug 399233 - "Phishing UI hidden by content, inconsistent
 with malware" [p=johnath r=tony r=biesi ui-r=beltzner a=blocking-firefox3+
 for M9]

---
 browser/app/profile/firefox.js                |   4 +
 .../safebrowsing/content/application.js       |  31 ++-
 .../safebrowsing/content/blockedSite.xhtml    | 210 ++++++++++++++++++
 .../safebrowsing/content/malware-warden.js    |   7 +
 .../content/phishing-afterload-displayer.js   |  50 +----
 browser/components/safebrowsing/jar.mn        |   1 +
 .../src/nsSafebrowsingApplication.js          |   7 +
 .../safebrowsing/blockedSite.properties       |  11 +
 .../chrome/overrides/appstrings.properties    |   1 +
 .../en-US/chrome/overrides/netError.dtd       |   6 +
 browser/locales/jar.mn                        |   1 +
 docshell/base/nsDocShell.cpp                  |  40 +++-
 docshell/base/nsDocShell.h                    |   3 +-
 docshell/base/nsWebShell.cpp                  |   1 +
 .../en-US/chrome/appstrings.properties        |   1 +
 dom/locales/en-US/chrome/netError.dtd         |   6 +
 .../src/nsUrlClassifierDBService.cpp          |   7 +
 uriloader/base/nsURILoader.h                  |   3 +-
 18 files changed, 326 insertions(+), 64 deletions(-)
 create mode 100644 browser/components/safebrowsing/content/blockedSite.xhtml
 create mode 100644 browser/locales/en-US/chrome/browser/safebrowsing/blockedSite.properties

diff --git a/browser/app/profile/firefox.js b/browser/app/profile/firefox.js
index f1bbc962019..3130f64527b 100644
--- a/browser/app/profile/firefox.js
+++ b/browser/app/profile/firefox.js
@@ -539,6 +539,10 @@ pref("browser.safebrowsing.provider.0.reportPhishURL", "http://{moz:locale}.phis
 
 // FAQ URL
 pref("browser.safebrowsing.warning.infoURL", "http://%LOCALE%.www.mozilla.com/%LOCALE%/firefox/phishing-protection/");
+
+// Name of the about: page contributed by safebrowsing to handle display of error
+// pages on phishing/malware hits.  (bug 399233)
+pref("urlclassifier.alternate_error_page", "blocked");
 #endif
 
 // defaults to true
diff --git a/browser/components/safebrowsing/content/application.js b/browser/components/safebrowsing/content/application.js
index bce52af2ba4..31c8460c17a 100644
--- a/browser/components/safebrowsing/content/application.js
+++ b/browser/components/safebrowsing/content/application.js
@@ -38,8 +38,8 @@
 var gDataProvider = null;
 
 // An instance of our application is a PROT_Application object. It
-// basically just populates a few globals and instantiates wardens and
-// the listmanager.
+// basically just populates a few globals and instantiates wardens,
+// the listmanager, and the about:blocked error page.
 
 /**
  * An instance of our application. There should be exactly one of these.
@@ -100,3 +100,30 @@ function PROT_Application() {
 PROT_Application.prototype.getReportURL = function(name) {
   return gDataProvider["getReport" + name + "URL"]();
 }
+
+/**
+ * about:blocked implementation
+ */
+PROT_Application.prototype.newChannel = function(uri) {
+  var ioService = Cc["@mozilla.org/network/io-service;1"]
+                 .getService(Ci.nsIIOService);
+  var childURI = ioService.newURI("chrome://browser/content/safebrowsing/blockedSite.xhtml",
+                                  null, null);
+  var channel = ioService.newChannelFromURI(childURI);
+  channel.originalURI = uri;
+
+  return channel;
+}
+
+PROT_Application.prototype.getURIFlags = function(uri) {
+  return Ci.nsIAboutModule.ALLOW_SCRIPT;
+}
+
+PROT_Application.prototype.QueryInterface = function(iid) {
+  if (iid.equals(Ci.nsISupports) ||
+      iid.equals(Ci.nsIAboutModule))
+    return this;
+
+  Components.returnCode = Components.results.NS_ERROR_NO_INTERFACE;
+  return null;
+}
diff --git a/browser/components/safebrowsing/content/blockedSite.xhtml b/browser/components/safebrowsing/content/blockedSite.xhtml
new file mode 100644
index 00000000000..63a145e14c8
--- /dev/null
+++ b/browser/components/safebrowsing/content/blockedSite.xhtml
@@ -0,0 +1,210 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!DOCTYPE html [
+  <!ENTITY % htmlDTD PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "DTD/xhtml1-strict.dtd">
+  %htmlDTD;
+  <!ENTITY % globalDTD SYSTEM "chrome://global/locale/global.dtd">
+  %globalDTD;
+  <!ENTITY % brandDTD SYSTEM "chrome://branding/locale/brand.dtd" >
+  %brandDTD;
+  <!ENTITY % blockedSiteDTD SYSTEM "chrome://browser/locale/safebrowsing/phishing-afterload-warning-message.dtd">
+  %blockedSiteDTD;
+]>
+
+<!-- ***** BEGIN LICENSE BLOCK *****
+   - Version: MPL 1.1/GPL 2.0/LGPL 2.1
+   -
+   - The contents of this file are subject to the Mozilla Public License Version
+   - 1.1 (the "License"); you may not use this file except in compliance with
+   - the License. You may obtain a copy of the License at
+   - http://www.mozilla.org/MPL/
+   -
+   - Software distributed under the License is distributed on an "AS IS" basis,
+   - WITHOUT WARRANTY OF ANY KIND, either express or implied. See the License
+   - for the specific language governing rights and limitations under the
+   - License.
+   -
+   - The Original Code is mozilla.org code.
+   -
+   - The Initial Developer of the Original Code is
+   - Netscape Communications Corporation.
+   - Portions created by the Initial Developer are Copyright (C) 1998
+   - the Initial Developer. All Rights Reserved.
+   -
+   - Contributor(s):
+   -   Adam Lock <adamlock@netscape.com>
+   -   William R. Price <wrprice@alumni.rice.edu>
+   -   Henrik Skupin <mozilla@hskupin.info>
+   -   Jeff Walden <jwalden+code@mit.edu>
+   -   Johnathan Nightingale <johnath@mozilla.com>
+   -
+   - Alternatively, the contents of this file may be used under the terms of
+   - either the GNU General Public License Version 2 or later (the "GPL"), or
+   - the GNU Lesser General Public License Version 2.1 or later (the "LGPL"),
+   - in which case the provisions of the GPL or the LGPL are applicable instead
+   - of those above. If you wish to allow use of your version of this file only
+   - under the terms of either the GPL or the LGPL, and not to allow others to
+   - use your version of this file under the terms of the MPL, indicate your
+   - decision by deleting the provisions above and replace them with the notice
+   - and other provisions required by the LGPL or the GPL. If you do not delete
+   - the provisions above, a recipient may use your version of this file under
+   - the terms of any one of the MPL, the GPL or the LGPL.
+   -
+   - ***** END LICENSE BLOCK ***** -->
+
+<html xmlns="http://www.w3.org/1999/xhtml" class="blacklist">
+  <head>
+    <link rel="stylesheet" href="chrome://global/skin/netError.css" type="text/css" media="all" />
+    <link rel="icon" type="image/png" id="favicon" href="chrome://global/skin/icons/blacklist_favicon.png"/>
+
+    <script type="application/javascript" src="chrome://global/content/strres.js"/>
+    <script type="application/javascript"><![CDATA[
+      // Error url MUST be formatted like this:
+      //   about:blocked?e=error_code&u=url
+      
+      // Note that this file uses document.documentURI to get
+      // the URL (with the format from above). This is because
+      // document.location.href gets the current URI off the docshell,
+      // which is the URL displayed in the location bar, i.e.
+      // the URI that the user attempted to load.
+
+      function getErrorCode()
+      {
+        var url = document.documentURI;
+        var error = url.search(/e\=/);
+        var duffUrl = url.search(/\&u\=/);
+        return decodeURIComponent(url.slice(error + 2, duffUrl));
+      }
+
+      function getURL()
+      {
+        var url = document.documentURI;
+        var index = url.search(/u\=/);
+
+        // index == -1 if not found; if so, return an empty string
+        // instead of what would turn out to be portions of the URI
+        if (index == -1)
+          return "";
+
+        return decodeURIComponent(url.slice(index + 2));
+      }
+      
+      /**
+       * Attempt to parse the result of getURL and extract a hostname.  Fail back
+       * to getURL so that we always return something meaningful.
+       */
+      function getHostString()
+      {
+        var ios = Components.classes["@mozilla.org/network/io-service;1"]
+                            .getService(Components.interfaces.nsIIOService);
+        var url = getURL();
+        try {
+          return ios.newURI(url, null, null).host;
+        } catch (e) {
+          return url;
+        }
+      }
+      
+      // Elements that tend to need content set
+      var errorTitleText, errorShortDescText, errorLongDesc, errorLongDescText;
+
+      // The string bundles managing strings for various blocked page scenarios
+      var sb = srGetStrBundle("chrome://browser/locale/safebrowsing/blockedSite.properties");
+      var brandBundle = srGetStrBundle("chrome://branding/locale/brand.properties");
+      var brandShortName = brandBundle.GetStringFromName("brandShortName");
+      
+      function initPage()
+      {
+        // Set up the cached elements
+        errorTitleText = document.getElementById("errorTitleText");
+        errorShortDescText = document.getElementById("errorShortDescText");
+        errorLongDesc = document.getElementById("errorLongDesc");
+        errorLongDescText = document.getElementById("errorLongDescText");
+        
+        // Handoff to the appropriate initializer, based on error code
+        switch(getErrorCode()) {
+          case "malwareBlocked" :
+            initPage_malware();
+            break;
+          case "phishingBlocked" :
+            initPage_phishing();
+            break;
+        }
+      }        
+      
+      /**
+       * Initialize custom strings and functionality for blocked malware case
+       */
+      function initPage_malware()
+      {
+        document.title = sb.GetStringFromName("malware.title");
+        errorTitleText.textContent = document.title;
+        errorShortDescText.textContent = sb.formatStringFromName("malware.shortDesc",
+                                                                 [getHostString()], 1);
+        errorLongDesc.innerHTML = sb.GetStringFromName("malware.longDesc");
+      }
+      
+      /**
+       * Initialize custom strings and functionality for blocked phishing case
+       */
+      function initPage_phishing()
+      {
+        document.title = sb.GetStringFromName("phishing.title");
+        errorTitleText.textContent = document.title;
+        errorShortDescText.textContent = sb.formatStringFromName("phishing.shortDesc",
+                                                                 [getHostString()], 1);
+        
+        var longDesc = sb.GetStringFromName("phishing.longDesc");
+
+        // If we have a more-info link for the phishing information, add it in,
+        // otherwise just use the generic text
+        var faqURL = Components.classes["@mozilla.org/toolkit/URLFormatterService;1"]
+                               .getService(Components.interfaces.nsIURLFormatter)
+                               .formatURLPref("browser.safebrowsing.warning.infoURL");
+        if(faqURL && faqURL != "about:blank") {
+          longDesc += sb.formatStringFromName("phishing.learnMoreLink",
+                                              [brandShortName], 1);
+          errorLongDesc.innerHTML = longDesc;          
+          document.getElementById("faqLink").setAttribute("href", faqURL);
+        }
+        else 
+          errorLongDesc.innerHTML = longDesc;
+      }
+    ]]></script>
+  </head>
+
+  <body dir="&locale.dir;">
+    <div id="errorPageContainer">
+    
+      <!-- Error Title -->
+      <div id="errorTitle">
+        <h1 id="errorTitleText" />
+      </div>
+      
+      <div id="errorLongContent">
+      
+        <!-- Short Description -->
+        <div id="errorShortDesc">
+          <p id="errorShortDescText" />
+        </div>
+
+        <!-- Long Description -->
+        <div id="errorLongDesc">
+          <p id="errorLongDescText" />
+        </div>
+        
+        <!-- Action buttons -->
+        <div id="buttons">
+          <xul:button xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+                      id="getMeOutButton" label="&safeb.palm.accept.label;" oncommand="window.home();" />
+        </div>
+      </div>
+    </div>
+    <!--
+    - Note: It is important to run the script this way, instead of using
+    - an onload handler. This is because error pages are loaded as
+    - LOAD_BACKGROUND, which means that onload handlers will not be executed.
+    -->
+    <script type="application/javascript">initPage();</script>
+  </body>
+</html>
diff --git a/browser/components/safebrowsing/content/malware-warden.js b/browser/components/safebrowsing/content/malware-warden.js
index a201816fb08..9363e8020ab 100644
--- a/browser/components/safebrowsing/content/malware-warden.js
+++ b/browser/components/safebrowsing/content/malware-warden.js
@@ -64,6 +64,13 @@ function PROT_MalwareWarden() {
     "a:1:" + testData.length + "\n" +
     testData +
     "\n";
+    
+  testData = "mozilla.com/firefox/its-a-trap.html";
+  testUpdate +=
+    "n:1000\ni:test-phish-simple\nad:1\n" +
+    "a:1:" + testData.length + "\n" +
+    testData +
+    "\n";
 
   var dbService_ = Cc["@mozilla.org/url-classifier/dbservice;1"]
                    .getService(Ci.nsIUrlClassifierDBService);
diff --git a/browser/components/safebrowsing/content/phishing-afterload-displayer.js b/browser/components/safebrowsing/content/phishing-afterload-displayer.js
index 09aa7d803f2..0fbb7e7abca 100644
--- a/browser/components/safebrowsing/content/phishing-afterload-displayer.js
+++ b/browser/components/safebrowsing/content/phishing-afterload-displayer.js
@@ -532,26 +532,7 @@ PROT_PhishMsgDisplayerCanvas.inherits(PROT_PhishMsgDisplayerBase);
  * Displays the warning message.  First we make sure the overlay is loaded
  * then call showMessageAfterOverlay_.
  */
-PROT_PhishMsgDisplayerCanvas.prototype.showMessage_ = function() {
-  G_Debug(this, "Showing message.");
-
-  // Load the overlay if we haven't already.
-  var dimmer = this.doc_.getElementById('safebrowsing-dim-area-canvas');
-  if (!dimmer) {
-    var onOverlayMerged = BindToObject(this.showMessageAfterOverlay_,
-                                       this);
-    var observer = new G_ObserverWrapper("xul-overlay-merged",
-                                         onOverlayMerged);
-
-    this.doc_.loadOverlay(
-        "chrome://browser/content/safebrowsing/warning-overlay.xul",
-        observer);
-  } else {
-    // The overlay is already loaded so we go ahead and call
-    // showMessageAfterOverlay_.
-    this.showMessageAfterOverlay_();
-  }
-}
+PROT_PhishMsgDisplayerCanvas.prototype.showMessage_ = function() { }
 
 /**
  * This does the actual work of showing the warning message.
@@ -678,34 +659,7 @@ PROT_PhishMsgDisplayerCanvas.prototype.isVisibleElement_ = function(elt) {
 /**
  * Hide the warning message from the user.
  */
-PROT_PhishMsgDisplayerCanvas.prototype.hideMessage_ = function() {
-  G_Debug(this, "Hiding phishing warning.");
-  G_Assert(this, this.messageShowing_, "Hide message called but not showing?");
-
-  this.messageShowing_ = false;
-  this.repainter_.cancel();
-  this.repainter_ = null;
-
-  // Hide the warning popup.
-  var message = this.doc_.getElementById(this.messageId_);
-  message.hidden = true;
-  message.style.display = "none";
-  var content = this.doc_.getElementById(this.messageContentId_);
-  content.style.height = "";
-  content.style.overflow = "";
-
-  var tail = this.doc_.getElementById(this.messageTailId_);
-  tail.hidden = true;
-  tail.style.display = "none";
-
-  // Remove the canvas element from the chrome document.
-  var pageCanvas = this.doc_.getElementById(this.pageCanvasId_);
-  pageCanvas.parentNode.removeChild(pageCanvas);
-
-  // Hide the dimmer.
-  var dimarea = this.doc_.getElementById(this.dimAreaId_);
-  dimarea.hidden = true;
-}
+PROT_PhishMsgDisplayerCanvas.prototype.hideMessage_ = function() { }
 
 
 /**
diff --git a/browser/components/safebrowsing/jar.mn b/browser/components/safebrowsing/jar.mn
index 2c7212856c9..51d7b8653dd 100644
--- a/browser/components/safebrowsing/jar.mn
+++ b/browser/components/safebrowsing/jar.mn
@@ -3,4 +3,5 @@ browser.jar:
 * content/browser/safebrowsing/sb-loader.js                    (content/sb-loader.js)
 + content/browser/safebrowsing/warning-overlay.xul             (content/warning-overlay.xul)
 + content/browser/safebrowsing/report-phishing-overlay.xul     (content/report-phishing-overlay.xul)
++ content/browser/safebrowsing/blockedSite.xhtml               (content/blockedSite.xhtml)
 % overlay chrome://browser/content/browser.xul         chrome://browser/content/safebrowsing/report-phishing-overlay.xul
diff --git a/browser/components/safebrowsing/src/nsSafebrowsingApplication.js b/browser/components/safebrowsing/src/nsSafebrowsingApplication.js
index 4649cdf6166..570753c0f41 100644
--- a/browser/components/safebrowsing/src/nsSafebrowsingApplication.js
+++ b/browser/components/safebrowsing/src/nsSafebrowsingApplication.js
@@ -61,6 +61,13 @@ SafebrowsingApplicationMod.prototype.registerSelf = function(compMgr, fileSpec,
                                   fileSpec,
                                   loc,
                                   type);
+  
+  compMgr.registerFactoryLocation(this.cid,
+                                  "UrlClassifier Blocked Error Page",
+                                  "@mozilla.org/network/protocol/about;1?what=blocked",
+                                  fileSpec,
+                                  loc,
+                                  type);
 };
 
 SafebrowsingApplicationMod.prototype.getClassObject = function(compMgr, cid, iid) {  
diff --git a/browser/locales/en-US/chrome/browser/safebrowsing/blockedSite.properties b/browser/locales/en-US/chrome/browser/safebrowsing/blockedSite.properties
new file mode 100644
index 00000000000..22cfb423555
--- /dev/null
+++ b/browser/locales/en-US/chrome/browser/safebrowsing/blockedSite.properties
@@ -0,0 +1,11 @@
+malware.title=Suspected Attack Site!
+malware.shortDesc=The web site at %S has been reported as an attack site, and has been blocked based on your security preferences.
+malware.longDesc=<p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p>\n<p>Web site owners who believe their site has been reported as an attack site in error may <a href='http://www.stopbadware.org/home/reviewinfo' >request a review</a>.</p>
+
+phishing.title=Suspected Web Forgery!
+phishing.shortDesc=The web site at %S has been reported as a web forgery designed to trick users into sharing personal or financial information.
+phishing.longDesc=<p>Entering any personal information on this page may result in identity theft or other fraud.</p><p>These types of web forgeries are used in scams known as phishing attacks, in which fraudulent web pages and emails are used to imitate sources you may trust.</p>
+
+# Localization note (phishing.learnMoreLink): please leave the <a id="faqLink" href=""> text
+# as-is.  A localized href is pulled in from user preferences automatically.
+phishing.learnMoreLink=<p>You can find out more about <a id="faqLink" href="">how %S protects you</a> from phishing attacks.</p>
diff --git a/browser/locales/en-US/chrome/overrides/appstrings.properties b/browser/locales/en-US/chrome/overrides/appstrings.properties
index 357abe385ca..e70e7632de7 100644
--- a/browser/locales/en-US/chrome/overrides/appstrings.properties
+++ b/browser/locales/en-US/chrome/overrides/appstrings.properties
@@ -60,3 +60,4 @@ externalProtocolUnknown=<Unknown>
 externalProtocolChkMsg=Remember my choice for all links of this type.
 externalProtocolLaunchBtn=Launch application
 malwareBlocked=The site at %S has been reported as an attack site and has been blocked based on your security preferences.
+phishingBlocked=The web site at %S has been reported as a web forgery designed to trick users into sharing personal or financial information.
diff --git a/browser/locales/en-US/chrome/overrides/netError.dtd b/browser/locales/en-US/chrome/overrides/netError.dtd
index 2d3d56a1701..9487d491575 100644
--- a/browser/locales/en-US/chrome/overrides/netError.dtd
+++ b/browser/locales/en-US/chrome/overrides/netError.dtd
@@ -140,3 +140,9 @@
 <p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p>
 <p>Web site owners who believe their site has been reported as an attack site in error may <a href='http://www.stopbadware.org/home/reviewinfo' >request a review</a>.</p>
 ">
+
+<!ENTITY phishingBlocked.title "Suspected Web Forgery!">
+<!ENTITY phishingBlocked.longDesc "
+<p>Entering any personal information on this page may result in identity theft or other fraud.</p>
+<p>These types of web forgeries are used in scams known as phishing attacks, in which fraudulent web pages and emails are used to imitate sources you may trust.</p>
+">
diff --git a/browser/locales/jar.mn b/browser/locales/jar.mn
index 830120e52d1..686a5ba45a2 100644
--- a/browser/locales/jar.mn
+++ b/browser/locales/jar.mn
@@ -37,6 +37,7 @@
 #ifdef MOZ_SAFE_BROWSING
     locale/browser/safebrowsing/phishing-afterload-warning-message.dtd (%chrome/browser/safebrowsing/phishing-afterload-warning-message.dtd)
     locale/browser/safebrowsing/report-phishing.dtd                    (%chrome/browser/safebrowsing/report-phishing.dtd)
+    locale/browser/safebrowsing/blockedSite.properties                 (%chrome/browser/safebrowsing/blockedSite.properties)
 #endif
     locale/browser/feeds/subscribe.dtd              (%chrome/browser/feeds/subscribe.dtd)
     locale/browser/feeds/subscribe.properties       (%chrome/browser/feeds/subscribe.properties)
diff --git a/docshell/base/nsDocShell.cpp b/docshell/base/nsDocShell.cpp
index 9e0c5e4fa6e..1d33b089882 100644
--- a/docshell/base/nsDocShell.cpp
+++ b/docshell/base/nsDocShell.cpp
@@ -2853,6 +2853,9 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
     nsresult rv = NS_OK;
     nsAutoString messageStr;
     nsCAutoString cssClass;
+    nsCAutoString errorPage;
+
+    errorPage.AssignLiteral("neterror");
 
     // Turn the error code into a human readable error message.
     if (NS_ERROR_UNKNOWN_PROTOCOL == aError) {
@@ -2947,6 +2950,25 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
         }
         if (!messageStr.IsEmpty())
             error.AssignLiteral("nssFailure2");
+    } else if (NS_ERROR_PHISHING_URI == aError || NS_ERROR_MALWARE_URI == aError) {
+        nsCAutoString host;
+        aURI->GetHost(host);
+        CopyUTF8toUTF16(host, formatStrs[0]);
+        formatStrCount = 1;
+        
+        // Malware and phishing detectors may want to use an alternate error
+        // page, but if the pref's not set, we'll fall back on the standard page
+        nsXPIDLCString alternateErrorPage;
+        mPrefs->GetCharPref("urlclassifier.alternate_error_page",
+                            getter_Copies(alternateErrorPage));
+        if (alternateErrorPage)
+            errorPage.Assign(alternateErrorPage);
+
+        if (NS_ERROR_PHISHING_URI == aError)
+            error.AssignLiteral("phishingBlocked");
+        else
+            error.AssignLiteral("malwareBlocked");
+        cssClass.AssignLiteral("blacklist");
     }
     else {
         // Errors requiring simple formatting
@@ -2993,15 +3015,6 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
             // Bad Content Encoding.
             error.AssignLiteral("contentEncodingError");
             break;
-        case NS_ERROR_MALWARE_URI:
-            nsCAutoString host;
-            aURI->GetHost(host);
-            CopyUTF8toUTF16(host, formatStrs[0]);
-            formatStrCount = 1;
-
-            error.AssignLiteral("malwareBlocked");
-            cssClass.AssignLiteral("blacklist");
-            break;
         }
     }
 
@@ -3042,8 +3055,8 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
     // URI object. Missing URI objects are handled badly by session history.
     if (mUseErrorPages && aURI && aFailedChannel) {
         // Display an error page
-        LoadErrorPage(aURI, aURL, error.get(), messageStr.get(),
-                      cssClass.get(), aFailedChannel);
+        LoadErrorPage(aURI, aURL, errorPage.get(), error.get(),
+                      messageStr.get(), cssClass.get(), aFailedChannel);
     } 
     else
     {
@@ -3066,6 +3079,7 @@ nsDocShell::DisplayLoadError(nsresult aError, nsIURI *aURI,
 
 NS_IMETHODIMP
 nsDocShell::LoadErrorPage(nsIURI *aURI, const PRUnichar *aURL,
+                          const char *aErrorPage,
                           const PRUnichar *aErrorType,
                           const PRUnichar *aDescription,
                           const char *aCSSClass,
@@ -3135,7 +3149,9 @@ nsDocShell::LoadErrorPage(nsIURI *aURI, const PRUnichar *aURL,
     char *escapedDescription = nsEscape(NS_ConvertUTF16toUTF8(aDescription).get(), url_Path);
     char *escapedCSSClass = nsEscape(aCSSClass, url_Path);
 
-    nsCString errorPageUrl("about:neterror?e=");
+    nsCString errorPageUrl("about:");
+    errorPageUrl.AppendASCII(aErrorPage);
+    errorPageUrl.AppendLiteral("?e=");
 
     errorPageUrl.AppendASCII(escapedError);
     errorPageUrl.AppendLiteral("&u=");
diff --git a/docshell/base/nsDocShell.h b/docshell/base/nsDocShell.h
index e44a8deb521..6dbd4eb2e0d 100644
--- a/docshell/base/nsDocShell.h
+++ b/docshell/base/nsDocShell.h
@@ -404,7 +404,8 @@ protected:
                                 const PRUnichar *aURL,
                                 nsIChannel* aFailedChannel = nsnull);
     NS_IMETHOD LoadErrorPage(nsIURI *aURI, const PRUnichar *aURL,
-                             const PRUnichar *aPage,
+                             const char *aErrorPage,
+                             const PRUnichar *aErrorType,
                              const PRUnichar *aDescription,
                              const char *aCSSClass,
                              nsIChannel* aFailedChannel);
diff --git a/docshell/base/nsWebShell.cpp b/docshell/base/nsWebShell.cpp
index d561c75893a..c146c498fd9 100644
--- a/docshell/base/nsWebShell.cpp
+++ b/docshell/base/nsWebShell.cpp
@@ -1195,6 +1195,7 @@ nsresult nsWebShell::EndPageLoad(nsIWebProgress *aProgress,
              aStatus == NS_ERROR_NET_INTERRUPT ||
              aStatus == NS_ERROR_NET_RESET ||
              aStatus == NS_ERROR_MALWARE_URI ||
+             aStatus == NS_ERROR_PHISHING_URI ||
              NS_ERROR_GET_MODULE(aStatus) == NS_ERROR_MODULE_SECURITY) {
       DisplayLoadError(aStatus, url, nsnull, channel);
     }
diff --git a/dom/locales/en-US/chrome/appstrings.properties b/dom/locales/en-US/chrome/appstrings.properties
index b31d45522e7..2efa1b8fed8 100644
--- a/dom/locales/en-US/chrome/appstrings.properties
+++ b/dom/locales/en-US/chrome/appstrings.properties
@@ -60,3 +60,4 @@ externalProtocolUnknown=<Unknown>
 externalProtocolChkMsg=Remember my choice for all links of this type.
 externalProtocolLaunchBtn=Launch application
 malwareBlocked=The site at %S has been reported as an attack site and has been blocked based on your security preferences.
+phishingBlocked=The web site at %S has been reported as a web forgery designed to trick users into sharing personal or financial information.
diff --git a/dom/locales/en-US/chrome/netError.dtd b/dom/locales/en-US/chrome/netError.dtd
index d92d0808f53..4ea705029c3 100644
--- a/dom/locales/en-US/chrome/netError.dtd
+++ b/dom/locales/en-US/chrome/netError.dtd
@@ -59,3 +59,9 @@
 <p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p>
 <p>Web site owners who believe their site has been reported as an attack site in error may <a href='http://www.stopbadware.org/home/reviewinfo' >request a review</a>.</p>
 ">
+
+<!ENTITY phishingBlocked.title "Suspected Web Forgery!">
+<!ENTITY phishingBlocked.longDesc "
+<p>Entering any personal information on this page may result in identity theft or other fraud.</p>
+<p>These types of web forgeries are used in scams known as phishing attacks, in which fraudulent web pages and emails are used to imitate sources you may trust.</p>
+">
diff --git a/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp b/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp
index 6991ed8d6b8..7ad3969172d 100644
--- a/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp
+++ b/toolkit/components/url-classifier/src/nsUrlClassifierDBService.cpp
@@ -2107,6 +2107,13 @@ nsUrlClassifierClassifyCallback::HandleEvent(const nsACString& tables)
   tables.EndReading(end);
   if (FindInReadable(NS_LITERAL_CSTRING("-malware-"), begin, end)) {
     response = NS_ERROR_MALWARE_URI;
+  } else {
+    // Reset begin before checking phishing table
+    tables.BeginReading(begin);
+  
+    if (FindInReadable(NS_LITERAL_CSTRING("-phish-"), begin, end)) {
+      response = NS_ERROR_PHISHING_URI;
+    }
   }
 
   mCallback->OnClassifyComplete(response);
diff --git a/uriloader/base/nsURILoader.h b/uriloader/base/nsURILoader.h
index 854d364d767..2ef4ce74bdb 100644
--- a/uriloader/base/nsURILoader.h
+++ b/uriloader/base/nsURILoader.h
@@ -93,9 +93,10 @@ protected:
 };
 
 /**
- * The load has been cancelled because it was found on a malware blacklist.
+ * The load has been cancelled because it was found on a malware or phishing blacklist.
  * XXX: this belongs in an nsDocShellErrors.h file of some sort.
  */
 #define NS_ERROR_MALWARE_URI   NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_URILOADER, 30)
+#define NS_ERROR_PHISHING_URI  NS_ERROR_GENERATE_FAILURE(NS_ERROR_MODULE_URILOADER, 31)
 
 #endif /* nsURILoader_h__ */