Update blockedSite text, use new stopbadware report url. b=420751, r=gavin, ui-r+a=beltzner

browser/app/profile/firefox.js

@@ -603,6 +603,10 @@ pref("urlclassifier.alternate_error_page", "blocked");
 
 // The number of random entries to send with a gethash request.
 pref("urlclassifier.gethashnoise", 4);
+
+// URL for checking the reason for a malware warning.
+pref("browser.safebrowsing.malware.reportURL", "http://www.stopbadware.org/reports/container?source=@APP_UA_NAME@&version=@APP_VERSION@&reportname=");
+
 #endif
 
 // defaults to true

browser/base/content/browser.js

@@ -2237,12 +2237,12 @@ function BrowserOnCommand(event) {
     if (!event.isTrusted)
       return;
 
+    var ot = event.originalTarget;
+    var errorDoc = ot.ownerDocument;
+
     // If the event came from an ssl error page, it is probably either the "Add
     // Exception…" or "Get me out of here!" button
-    if (/^about:neterror\?e=nssBadCert/.test(event.originalTarget.ownerDocument.documentURI)) {
-      var ot = event.originalTarget;
-      var errorDoc = ot.ownerDocument;
-      
+    if (/^about:neterror\?e=nssBadCert/.test(errorDoc.documentURI)) {
       if (ot == errorDoc.getElementById('exceptionDialogButton')) {
         var params = { exceptionAdded : false };
         
@@ -2265,23 +2265,66 @@ function BrowserOnCommand(event) {
           errorDoc.location.reload();
       }
       else if (ot == errorDoc.getElementById('getMeOutOfHereButton')) {
-        // Redirect them to a known-functioning page, default start page
-        var prefs = Cc["@mozilla.org/preferences-service;1"]
-                    .getService(Ci.nsIPrefService).getDefaultBranch(null);
-        var url = "about:blank";
-        try {
-          url = prefs.getComplexValue("browser.startup.homepage",
-                                      Ci.nsIPrefLocalizedString).data;
-          // If url is a pipe-delimited set of pages, just take the first one.
-          if (url.indexOf("|") != -1)
-            url = url.split("|")[0];
-        } catch(e) {
-          Components.utils.reportError("Couldn't get homepage pref: " + e);
-        }
-        content.location = url;
+        getMeOutOfHere();
       }
     }
+    else if (/^about:blocked/.test(errorDoc.documentURI)) {
+      // The event came from a button on a malware/phishing block page
+      
+      if (ot == errorDoc.getElementById('getMeOutButton')) {
+        getMeOutOfHere();
+      }
+      else if (ot == errorDoc.getElementById('reportButton')) {
+        // This is the "Why is this site blocked" button.  For malware,
+        // we can fetch a site-specific report, for phishing, we redirect
+        // to the generic page describing phishing protection.
+        if (/e=malwareBlocked/.test(errorDoc.documentURI)) {
+          // Get the stop badware "why is this blocked" report url,
+          // append the current url, and go there.
+          try {
+            var reportURL = gPrefService.getCharPref("browser.safebrowsing.malware.reportURL");
+            reportURL += content.location.href;
+            content.location = reportURL;
+          } catch (e) {
+            Components.utils.reportError("Couldn't get malware report URL: " + e);
+          }
+        }
+        else if (/e=phishingBlocked/.test(errorDoc.documentURI)) {
+          try {
+            content.location = Cc["@mozilla.org/toolkit/URLFormatterService;1"]
+                              .getService(Components.interfaces.nsIURLFormatter)
+                              .formatURLPref("browser.safebrowsing.warning.infoURL");
+          } catch (e) {
+            Components.utils.reportError("Couldn't get phishing info URL: " + e);
+          }
+        }
+      }
+    }
+}
+
+/**
+ * Re-direct the browser to a known-safe page.  This function is
+ * used when, for example, the user browses to a known malware page
+ * and is presented with about:blocked.  The "Get me out of here!"
+ * button should take the user to the default start page so that even
+ * when their own homepage is infected, we can get them somewhere safe.
+ */
+function getMeOutOfHere() {
+  // Get the start page from the *default* pref branch, not the user's
+  var prefs = Cc["@mozilla.org/preferences-service;1"]
+             .getService(Ci.nsIPrefService).getDefaultBranch(null);
+  var url = "about:blank";
+  try {
+    url = prefs.getComplexValue("browser.startup.homepage",
+                                Ci.nsIPrefLocalizedString).data;
+    // If url is a pipe-delimited set of pages, just take the first one.
+    if (url.indexOf("|") != -1)
+      url = url.split("|")[0];
+  } catch(e) {
+    Components.utils.reportError("Couldn't get homepage pref: " + e);
   }
+  content.location = url;
+}
 
 function BrowserFullScreen()
 {

browser/components/safebrowsing/content/blockedSite.xhtml

@@ -137,11 +137,11 @@
        */
       function initPage_malware()
       {
-        document.title = sb.GetStringFromName("malware.title");
+        document.title = sb.GetStringFromName("malware.title2");
         errorTitleText.textContent = document.title;
         errorShortDescText.textContent = sb.formatStringFromName("malware.shortDesc",
                                                                  [getHostString()], 1);
-        errorLongDesc.innerHTML = sb.GetStringFromName("malware.longDesc");
+        errorLongDesc.innerHTML = sb.GetStringFromName("malware.longDesc2");
       }
       
       /**
@@ -149,26 +149,11 @@
        */
       function initPage_phishing()
       {
-        document.title = sb.GetStringFromName("phishing.title");
+        document.title = sb.GetStringFromName("phishing.title2");
         errorTitleText.textContent = document.title;
-        errorShortDescText.textContent = sb.formatStringFromName("phishing.shortDesc",
+        errorShortDescText.textContent = sb.formatStringFromName("phishing.shortDesc2",
                                                                  [getHostString()], 1);
-        
-        var longDesc = sb.GetStringFromName("phishing.longDesc");
-
-        // If we have a more-info link for the phishing information, add it in,
-        // otherwise just use the generic text
-        var faqURL = Components.classes["@mozilla.org/toolkit/URLFormatterService;1"]
-                               .getService(Components.interfaces.nsIURLFormatter)
-                               .formatURLPref("browser.safebrowsing.warning.infoURL");
-        if(faqURL && faqURL != "about:blank") {
-          longDesc += sb.formatStringFromName("phishing.learnMoreLink",
-                                              [brandShortName], 1);
-          errorLongDesc.innerHTML = longDesc;          
-          document.getElementById("faqLink").setAttribute("href", faqURL);
-        }
-        else 
-          errorLongDesc.innerHTML = longDesc;
+        errorLongDesc.innerHTML = sb.GetStringFromName("phishing.longDesc2");
       }
     ]]></script>
   </head>
@@ -195,8 +180,11 @@
         
         <!-- Action buttons -->
         <div id="buttons">
+          <!-- Commands handled in browser.js -->
           <xul:button xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
-                      id="getMeOutButton" label="&safeb.palm.accept.label;" oncommand="window.home();" />
+                      id="getMeOutButton" label="&safeb.palm.accept.label;"/>
+          <xul:button xmlns:xul="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"
+                      id="reportButton" label="&safeb.palm.report.label;"/>
         </div>
       </div>
     </div>

browser/locales/en-US/chrome/browser/safebrowsing/blockedSite.properties

@@ -1,12 +1,7 @@
-malware.title=Suspected Attack Site!
+malware.title2=Reported Attack Site!
 malware.shortDesc=The web site at %S has been reported as an attack site and has been blocked based on your security preferences.
-malware.longDesc=<p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p>\n<p>Web site owners who believe their site has been reported as an attack site in error may <a href='http://www.stopbadware.org/home/reviewinfo' >request a review</a>.</p>
+malware.longDesc2=<p>Attack sites try to install programs that steal private information, use your computer to attack others, or damage your system.</p>\n<p>Some attack sites intentionally distribute harmful software, but many are compromised without the knowledge or permission of their owners.</p>
 
-phishing.title=Suspected Web Forgery!
-phishing.shortDesc=The web site at %S has been reported as a web forgery designed to trick users into sharing personal or financial information.
-phishing.longDesc=<p>Entering any personal information on this page may result in identity theft or other fraud.</p><p>These types of web forgeries are used in scams known as phishing attacks, in which fraudulent web pages and emails are used to imitate sources you may trust.</p>
-
-# Localization note (phishing.learnMoreLink): please leave the HTML tags as-is.
-# A localized href is pulled in from user preferences automatically.  The anchor
-# text, as well as the rest of the sentence, should be translated.
-phishing.learnMoreLink=<p>You can find out more about <a id="faqLink" href="">how %S protects you</a> from phishing attacks.</p>
+phishing.title2=Reported Web Forgery!
+phishing.shortDesc2=The web site at %S has been reported as a web forgery and has been blocked based on your security preferences.
+phishing.longDesc2=<p>Web forgeries are designed to trick you into revealing personal or financial information by imitating sources you may trust.</p><p>Entering any information on this web page may result in identity theft or other fraud.</p>

browser/locales/en-US/chrome/browser/safebrowsing/phishing-afterload-warning-message.dtd

@@ -13,5 +13,6 @@
 <!ENTITY safeb.palm.decline.label "Ignore this warning">
 <!ENTITY safeb.palm.decline.statustext "Close warning" >
 <!ENTITY safeb.palm.notforgery.label2 "This isn't a web forgery…">
+<!ENTITY safeb.palm.report.label "Why was this site blocked?">
 
 <!ENTITY safeb.urlbaricon.tooltip "This page might be dangerous; click for details.">