diff --git a/app/extensions/brave/locales/en-US/app.properties b/app/extensions/brave/locales/en-US/app.properties
index f6096f036f..2c56922d9d 100644
--- a/app/extensions/brave/locales/en-US/app.properties
+++ b/app/extensions/brave/locales/en-US/app.properties
@@ -98,6 +98,7 @@ partiallySecureConnection=Partially insecure connection
partiallySecureConnectionInfo=This page was loaded over HTTPS, but some elements were not loaded securely.
insecureConnection=Using an insecure connection
insecureConnectionInfo=Your connection to this site is not private. An eavesdropper may be able to tamper with this page and read your data.
+phishingConnectionInfo=javascript:, data:, and blob: URLs are not secure and may be used for phishing attacks. Be careful when entering passwords and sensitive information!
blockedTrackingElements={{blockedTrackingElementsSize}} Blocked tracking elements
replacedAds={{replacedAdsSize}} Ads replaced
blockedAds={{blockedAdsSize}} Ads blocked
diff --git a/app/renderer/components/urlBarIcon.js b/app/renderer/components/urlBarIcon.js
index 9132dcea0f..d075a6d76d 100644
--- a/app/renderer/components/urlBarIcon.js
+++ b/app/renderer/components/urlBarIcon.js
@@ -9,6 +9,7 @@ const cx = require('../../../js/lib/classSet')
const dragTypes = require('../../../js/constants/dragTypes')
const dndData = require('../../../js/dndData')
const {isSourceAboutUrl} = require('../../../js/lib/appUrlUtil')
+const {isPotentialPhishingUrl} = require('../../../js/lib/urlutil')
const searchIconSize = 16
class UrlBarIcon extends ImmutableComponent {
@@ -18,7 +19,9 @@ class UrlBarIcon extends ImmutableComponent {
this.onDragStart = this.onDragStart.bind(this)
}
get iconCssClasses () {
- if (this.isSearch) {
+ if (isPotentialPhishingUrl(this.props.location)) {
+ return ['fa-exclamation-triangle', 'insecure-color']
+ } else if (this.isSearch) {
return ['fa-search']
} else if (this.isAboutPage && !this.props.titleMode) {
return ['fa-list']
diff --git a/app/renderer/reducers/urlBarReducer.js b/app/renderer/reducers/urlBarReducer.js
index cdba2cdf36..b1f1616cbe 100644
--- a/app/renderer/reducers/urlBarReducer.js
+++ b/app/renderer/reducers/urlBarReducer.js
@@ -6,7 +6,7 @@
const windowConstants = require('../../../js/constants/windowConstants')
const {getSourceAboutUrl, getSourceMagnetUrl, isIntermediateAboutPage, navigatableTypes} = require('../../../js/lib/appUrlUtil')
-const {isURL, getUrlFromInput} = require('../../../js/lib/urlutil')
+const {isURL, isPotentialPhishingUrl, getUrlFromInput} = require('../../../js/lib/urlutil')
const {activeFrameStatePath, frameStatePath, getFrameByKey, getActiveFrame, tabStatePath} = require('../../../js/state/frameStateUtil')
const urlParse = require('../../common/urlParse')
@@ -28,6 +28,11 @@ const urlBarReducer = (state, action) => {
const currentLocation = frame.get('location')
const parsedUrl = urlParse(action.location)
+ // For potential phishing pages, show a warning
+ if (isPotentialPhishingUrl(action.location)) {
+ state = state.setIn(['ui', 'siteInfo', 'isVisible'], true)
+ }
+
// For types that are not navigatable, just do a loadUrl on them
if (!navigatableTypes.includes(parsedUrl.protocol)) {
if (parsedUrl.protocol !== 'javascript:' ||
diff --git a/js/components/siteInfo.js b/js/components/siteInfo.js
index 83625ad4fe..043dfaae0f 100644
--- a/js/components/siteInfo.js
+++ b/js/components/siteInfo.js
@@ -6,6 +6,7 @@ const React = require('react')
const ipc = require('electron').ipcRenderer
const ImmutableComponent = require('./immutableComponent')
const cx = require('../lib/classSet')
+const {isPotentialPhishingUrl} = require('../lib/urlutil')
const Dialog = require('./dialog')
const Button = require('./button')
const appActions = require('../actions/appActions')
@@ -58,6 +59,9 @@ class SiteInfo extends ImmutableComponent {
get location () {
return this.props.frameProps.getIn(['location'])
}
+ get maybePhishingLocation () {
+ return isPotentialPhishingUrl(this.props.frameProps.getIn(['location']))
+ }
render () {
// Figure out the partition info display
let l10nArgs = {
@@ -93,7 +97,11 @@ class SiteInfo extends ImmutableComponent {
viewCertificateButton =
}
- if (this.isBlockedRunInsecureContent) {
+
+ if (this.maybePhishingLocation) {
+ connectionInfo =
+
+ } else if (this.isBlockedRunInsecureContent) {
connectionInfo =
diff --git a/js/lib/urlutil.js b/js/lib/urlutil.js
index eb79e25a6e..4d8843f418 100644
--- a/js/lib/urlutil.js
+++ b/js/lib/urlutil.js
@@ -206,6 +206,17 @@ const UrlUtil = {
return url.toLowerCase().startsWith('data:')
},
+ /**
+ * Checks if a url is a phishable url.
+ * @param {String} input The input url.
+ * @returns {Boolean}
+ */
+ isPotentialPhishingUrl: function (url) {
+ if (typeof url !== 'string') { return false }
+ const protocol = urlParse(url.trim().toLowerCase()).protocol
+ return ['data:', 'blob:', 'javascript:'].includes(protocol)
+ },
+
/**
* Checks if a url is an image data url.
* @param {String} input The input url.
diff --git a/less/navigationBar.less b/less/navigationBar.less
index 5e50f2266e..d657be5768 100644
--- a/less/navigationBar.less
+++ b/less/navigationBar.less
@@ -910,7 +910,8 @@
}
&.fa-lock,
- &.fa-unlock {
+ &.fa-unlock,
+ &.fa-exclamation-triangle {
font-size: 16px;
}
diff --git a/test/navbar-components/navigationBarTest.js b/test/navbar-components/navigationBarTest.js
index 8c4c30d6cb..2ae5c917ae 100644
--- a/test/navbar-components/navigationBarTest.js
+++ b/test/navbar-components/navigationBarTest.js
@@ -413,6 +413,24 @@ describe('navigationBar tests', function () {
.waitForVisible('[data-l10n-id="insecureConnection"]')
.keys(Brave.keys.ESCAPE)
})
+ it('Shows phishing URL warning', function * () {
+ const page1Url = 'data:text/html,i am google'
+ yield this.app.client
+ .waitForElementFocus(urlInput)
+ .keys(page1Url)
+ .keys(Brave.keys.ENTER)
+ .windowByUrl(Brave.browserWindowUrl)
+ .waitUntil(() =>
+ this.app.client
+ .activateURLMode()
+ .waitForExist(urlbarIcon)
+ .getAttribute(urlbarIcon, 'class').then((classes) =>
+ classes.includes('fa-exclamation-triangle') && classes.includes('insecure-color')
+ ))
+ .windowByUrl(Brave.browserWindowUrl)
+ .waitForVisible('[data-l10n-id="phishingConnectionInfo"]')
+ .keys(Brave.keys.ESCAPE)
+ })
it('Shows insecure URL icon in title mode', function * () {
const page1Url = Brave.server.url('page1.html')
yield this.app.client
diff --git a/test/unit/lib/urlutilTest.js b/test/unit/lib/urlutilTest.js
index 88993f1234..60233be594 100644
--- a/test/unit/lib/urlutilTest.js
+++ b/test/unit/lib/urlutilTest.js
@@ -270,4 +270,22 @@ describe('urlutil', function () {
assert.equal(UrlUtil.getPunycodeUrl('http://brave:brave@ebаy.com:1234/brave#brave'), 'http://brave:brave@xn--eby-7cd.com:1234/brave#brave')
})
})
+
+ describe('isPotentialPhishingUrl', function () {
+ it('returns false if input is not a URL', function () {
+ assert.equal(UrlUtil.isPotentialPhishingUrl(null), false)
+ })
+ it('returns false if input is a regular URL', function () {
+ assert.equal(UrlUtil.isPotentialPhishingUrl(' https://google.com'), false)
+ })
+ it('returns true if input is a data URL', function () {
+ assert.equal(UrlUtil.isPotentialPhishingUrl('data:text/html,'), true)
+ })
+ it('returns true if input is a js URL', function () {
+ assert.equal(UrlUtil.isPotentialPhishingUrl(' JAVASCRIPT:alert(1)'), true)
+ })
+ it('returns true if input is a blob URL', function () {
+ assert.equal(UrlUtil.isPotentialPhishingUrl(' blob:foo '), true)
+ })
+ })
})