Remove all whitelist functionality from the phishing domain system.
The blocklist now only checks the blacklist — no whitelist overrides.
- Remove vendoredWhitelist and deltaWhitelist Sets
- Remove whitelist checks in isPhishingDomain()
- Remove whitelist from delta storage persistence
- Remove whitelist from loadConfig() delta computation
- Remove whitelist-specific test cases
- Update README to remove whitelist mention
Closes #114
- Vendor community-maintained phishing domain blocklist into
src/shared/phishingBlocklist.json (bundled at build time by esbuild)
- Refactor phishingDomains.js: build vendored Sets at module load,
fetch live list periodically, keep only delta (new entries not in
vendored) in memory for small runtime footprint
- Domain checker checks delta first (fresh scam sites), then vendored
- Persist delta to localStorage if under 256 KiB
- Load delta from localStorage on startup for instant coverage
- Add startPeriodicRefresh() with 24h setInterval in background script
- Remove dead code: popup's local isPhishingDomain() re-check was inert
(popup never called updatePhishingList so its blacklistSet was always
empty); now relies solely on background's authoritative flag
- Remove all competitor name mentions from UI warning text and comments
- Update README: document phishing domain protection architecture,
update external services list
- Update tests: cover vendored blocklist loading, delta computation,
localStorage persistence, delta+vendored interaction
Closes#114
Bug 1: getFullWarnings returned early for contract addresses, skipping
checkEtherscanLabel. Restructured to use isContract flag so the Etherscan
check runs for all addresses (contracts are often the most dangerous).
Bug 2: confirmTx.js only handled 'contract' and 'new-address' warning types,
silently discarding 'etherscan-phishing'. Added confirm-etherscan-warning
HTML element and handler in the async warnings loop.
Style: converted inline style attributes on phishing warning banners
(approve-tx, approve-sign, approve-site) to Tailwind utility classes
(bg-red-100 text-red-800 border-2 border-red-600 rounded-md).
- Add etherscanLabels module: scrapes Etherscan address pages for
phishing/scam labels (Fake_Phishing*, Exploiter, scam warnings).
Integrated as best-effort async check in addressWarnings.
- Add phishingDomains module: fetches MetaMask's eth-phishing-detect
blocklist (~231K domains) at runtime, caches in memory, refreshes
every 24h. Checks hostnames with subdomain matching and whitelist
overrides.
- Integrate domain phishing checks into all approval flows:
connection requests, transaction approvals, and signature requests
show a prominent red warning banner when the requesting site is on
the MetaMask blocklist.
- Add unit tests for both modules (12 tests for etherscanLabels
parsing, 15 tests for phishingDomains matching).
Closes#114
- Refactor address warnings into src/shared/addressWarnings.js module
- getLocalWarnings(address, options): sync checks against local lists
- getFullWarnings(address, provider, options): async local + RPC checks
- Expand scam address list from 652 to 2417 addresses
- Added EtherScamDB (MIT) as additional source
- Update confirmTx.js to use the new addressWarnings module
