- Vendor community-maintained phishing domain blocklist into
src/shared/phishingBlocklist.json (bundled at build time by esbuild)
- Refactor phishingDomains.js: build vendored Sets at module load,
fetch live list periodically, keep only delta (new entries not in
vendored) in memory for small runtime footprint
- Domain checker checks delta first (fresh scam sites), then vendored
- Persist delta to localStorage if under 256 KiB
- Load delta from localStorage on startup for instant coverage
- Add startPeriodicRefresh() with 24h setInterval in background script
- Remove dead code: popup's local isPhishingDomain() re-check was inert
(popup never called updatePhishingList so its blacklistSet was always
empty); now relies solely on background's authoritative flag
- Remove all competitor name mentions from UI warning text and comments
- Update README: document phishing domain protection architecture,
update external services list
- Update tests: cover vendored blocklist loading, delta computation,
localStorage persistence, delta+vendored interaction
Closes#114
- Add etherscanLabels module: scrapes Etherscan address pages for
phishing/scam labels (Fake_Phishing*, Exploiter, scam warnings).
Integrated as best-effort async check in addressWarnings.
- Add phishingDomains module: fetches MetaMask's eth-phishing-detect
blocklist (~231K domains) at runtime, caches in memory, refreshes
every 24h. Checks hostnames with subdomain matching and whitelist
overrides.
- Integrate domain phishing checks into all approval flows:
connection requests, transaction approvals, and signature requests
show a prominent red warning banner when the requesting site is on
the MetaMask blocklist.
- Add unit tests for both modules (12 tests for etherscanLabels
parsing, 15 tests for phishingDomains matching).
Closes#114
