Remove all whitelist functionality from the phishing domain system.
The blocklist now only checks the blacklist — no whitelist overrides.
- Remove vendoredWhitelist and deltaWhitelist Sets
- Remove whitelist checks in isPhishingDomain()
- Remove whitelist from delta storage persistence
- Remove whitelist from loadConfig() delta computation
- Remove whitelist-specific test cases
- Update README to remove whitelist mention
Closes #114
- Vendor community-maintained phishing domain blocklist into
src/shared/phishingBlocklist.json (bundled at build time by esbuild)
- Refactor phishingDomains.js: build vendored Sets at module load,
fetch live list periodically, keep only delta (new entries not in
vendored) in memory for small runtime footprint
- Domain checker checks delta first (fresh scam sites), then vendored
- Persist delta to localStorage if under 256 KiB
- Load delta from localStorage on startup for instant coverage
- Add startPeriodicRefresh() with 24h setInterval in background script
- Remove dead code: popup's local isPhishingDomain() re-check was inert
(popup never called updatePhishingList so its blacklistSet was always
empty); now relies solely on background's authoritative flag
- Remove all competitor name mentions from UI warning text and comments
- Update README: document phishing domain protection architecture,
update external services list
- Update tests: cover vendored blocklist loading, delta computation,
localStorage persistence, delta+vendored interaction
Closes#114
- Add etherscanLabels module: scrapes Etherscan address pages for
phishing/scam labels (Fake_Phishing*, Exploiter, scam warnings).
Integrated as best-effort async check in addressWarnings.
- Add phishingDomains module: fetches MetaMask's eth-phishing-detect
blocklist (~231K domains) at runtime, caches in memory, refreshes
every 24h. Checks hostnames with subdomain matching and whitelist
overrides.
- Integrate domain phishing checks into all approval flows:
connection requests, transaction approvals, and signature requests
show a prominent red warning banner when the requesting site is on
the MetaMask blocklist.
- Add unit tests for both modules (12 tests for etherscanLabels
parsing, 15 tests for phishingDomains matching).
Closes#114
Adds a test that constructs a Uniswap V4 USDT→USDC swap using
SETTLE/SWAP_EXACT_IN_SINGLE/TAKE sub-actions inside a V4_SWAP command.
Without decodeV4Swap(), the output token would be unresolvable and the
swap name would not show 'USDT → USDC'. This test fails on the old code
and passes with the decodeV4Swap() fix.
Refs: #59
Replace stub error handlers with full approval flow for personal_sign,
eth_sign, eth_signTypedData_v4, and eth_signTypedData. Uses toolbar
popup only (no fallback window) and keeps sign approvals pending across
popup close/reopen cycles so the user can respond via the toolbar icon.
Makefile, Dockerfile, CI workflow, prettier config, manifests for
Chrome (MV3) and Firefox (MV2), source directory structure, and
minimal test suite. All checks pass.
