[PM-19814] Improved warning popup UI #14255
Conversation
…eleased separately in another ticket.
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #14255 +/- ##
===========================================
- Coverage 36.87% 5.85% -31.03%
===========================================
Files 3210 28 -3182
Lines 92568 1709 -90859
Branches 16610 0 -16610
===========================================
- Hits 34137 100 -34037
+ Misses 56017 1609 -54408
+ Partials 2414 0 -2414 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
New Issues (1)Checkmarx found the following issues in this Pull Request
|
|
I am looking into pipeline issues now. |
…t will be unauthenticated.
…nore to the remaining ones.
| @@ -0,0 +1,272 @@ | |||
| // FIXME: Update this file to be type safe and remove this and next line | |||
| // @ts-strict-ignore | |||
There was a problem hiding this comment.
I'm still encountering type errors with BrowserApi.addListener despite adding types. All other calls to BrowserApi.addListener are using @ts-strict-ignore.
[typescript-strict-plugin] apps/browser/src/phishing-detection/background/phishing-detection.service.ts(217,7): error TS2345: Argument of type '(message: CheckUrlMessage, _: chrome.runtime.MessageSender, sendResponse: (response?: unknown) => void) => void' is not assignable to parameter of type '(...args: readonly unknown[]) => unknown'.
[typescript-strict-plugin] apps/browser/src/phishing-detection/background/phishing-detection.service.ts(237,7): error TS2345: Argument of type '(message: RedirectMessage, sender: chrome.runtime.MessageSender) => void' is not assignable to parameter of type '(...args: readonly unknown[]) => unknown'.
Other failed attempt
const handler = (args: [RedirectMessage, chrome.runtime.MessageSender]): void => {
const [message, sender] = args;
// code
};
BrowserApi.addListener(chrome.runtime.onMessage, handler);
Result
[typescript-strict-plugin] apps/browser/src/phishing-detection/background/phishing-detection.service.ts(261,54): error TS2345: Argument of type '(args: [RedirectMessage, chrome.runtime.MessageSender]) => void' is not assignable to parameter of type '(...args: readonly unknown[]) => unknown'.
| const response = await chrome.runtime.sendMessage({ | ||
| command: PhishingDetectionCommands.CheckUrl, | ||
| activeUrl, | ||
| }); |
There was a problem hiding this comment.
The background can do this check (and the redirect) before script injection, no?
I'm not sure content script injection is the right way to go here since:
- We should be able to (I believe) do everything this script is doing in the background, avoiding messaging back and forth
- Is this content script not going to inject/evaluate until after page load (at least presently, I believe)? At that point, it may be too late for phishing protection to do it's job
- Check out
onBeforeRequestfor this; we have some prior art in apps/browser/src/autofill/background/overlay-notifications.background.ts which may be helpful
- Check out
- We should trust the tab/page execution context as little as possible, and this is a potentially high impact operation
- What happens if the script injection fails due to poor existing page code interaction (rare, but it happens)?
- Will notification excluded domains and blocked domains neverDomains filtering prevent this script injection?
There was a problem hiding this comment.
The main reason for using the content script is to get the current URL. If I can get it with onBeforeRequest, then we can go down that route.
We didn't account for neverDomains. I can try adding it. I'll check how we're handling it in the browser, but if you know of any good examples, please send them my way.
There was a problem hiding this comment.
Yeah, I believe the background already knows the URL of the tabs. Skipping a content script injection for this would be safer, more performant, and avoid having to deal with NeverDomains.
|
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-19814
📔 Objective
Context: This project's original idea came from an innovation sprint. This ticket is meant to improve the UI, but since the original code was never merged into
main, I think we should review everything together. I wrote this doc to provide a general overview of the expected behavior.Objectives:
Note: I'll address these TODOs while the main body of work is under review, so we can identify potential blockers sooner.
📸 Screenshots
Note:
phishing.detection.test.mov
⏰ Reminders before review
🦮 Reviewer guidelines
:+1:) or similar for great changes:memo:) or ℹ️ (:information_source:) for notes or general info:question:) for questions:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion:art:) for suggestions / improvements:x:) or:warning:) for more significant problems or concerns needing attention:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt:pick:) for minor or nitpick changes