Merge branch 'master' into Version-v10.15.0

.depcheckrc.yml

@@ -17,6 +17,7 @@ ignores:
   # used in testing + ci
   - '@metamask/auto-changelog' # invoked as `auto-changelog`
   - '@metamask/forwarder'
+  - '@metamask/phishing-warning' # statically hosted as part of some e2e tests
   - '@metamask/test-dapp'
   - '@metamask/design-tokens' # Only imported in index.css
   - '@tsconfig/node14' # required dynamically by TS, used in tsconfig.json

.metamaskrc.dist

@@ -6,3 +6,6 @@ ONBOARDING_V2=
 SWAPS_USE_DEV_APIS=
 COLLECTIBLES_V1=
 TOKEN_DETECTION_V2=
+
+; Set this to test changes to the phishing warning page.
+PHISHING_WARNING_PAGE_URL=

CHANGELOG.md

@@ -29,6 +29,39 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Fix bug that could have caused some ledger transactions to fail after connecting Ledger then locking and unlocking ([#14563](https://github.com/MetaMask/metamask-extension/pull/14563))
 - Fix bug that could cause MetaMask to crash in some cases when attempting to send a transaction ([#14608](https://github.com/MetaMask/metamask-extension/pull/14608))
 
+## [10.14.7]
+### Changed
+- Make JavaScript bundles more reproducible between environments.
+  - The bundles no longer include absolute paths to each module included.
+
+## [10.14.6]
+### Changed
+- Move phishing warning page to external site.
+  - The page shown when a site is blocked has been extracted from the extension and moved to an external site. This site is eagerly cached with a service worker upon extension startup, so it should continue to work even while offline.
+- Make build .zip files reproducible (#14623)
+  - The ordering of files within each .zip file was non-deterministic before this change. We fixed this to comply with Firefox store policies.
+
+## [10.14.5]
+### Fixed
+- This release was deployed to fix a configuration issue.
+
+## [10.14.4]
+### Fixed
+- This release was deployed to fix a configuration issue.
+
+## [10.14.3]
+### Fixed
+- This release was deployed to fix a configuration issue.
+
+## [10.14.2]
+### Fixed
+- Make build deterministic (#14610)
+    - The ordering of modules within each bundle was non-deterministic before this change. We fixed this to comply with Firefox store policies.
+
+## [10.14.1]
+### Changed
+- This version was used to rollback from v10.14.0 to v10.13.0.
+
 ## [10.14.0]
 ### Added
 - **[FLASK]** Add snap version to details page ([#14110](https://github.com/MetaMask/metamask-extension/pull/14110))
@@ -2932,7 +2965,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added the ability to restore accounts from seed words.
 
 [Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v10.15.0...HEAD
-[10.15.0]: https://github.com/MetaMask/metamask-extension/compare/v10.14.0...v10.15.0
+[10.15.0]: https://github.com/MetaMask/metamask-extension/compare/v10.14.7...v10.15.0
+[10.14.7]: https://github.com/MetaMask/metamask-extension/compare/v10.14.6...v10.14.7
+[10.14.6]: https://github.com/MetaMask/metamask-extension/compare/v10.14.5...v10.14.6
+[10.14.5]: https://github.com/MetaMask/metamask-extension/compare/v10.14.4...v10.14.5
+[10.14.4]: https://github.com/MetaMask/metamask-extension/compare/v10.14.3...v10.14.4
+[10.14.3]: https://github.com/MetaMask/metamask-extension/compare/v10.14.2...v10.14.3
+[10.14.2]: https://github.com/MetaMask/metamask-extension/compare/v10.14.1...v10.14.2
+[10.14.1]: https://github.com/MetaMask/metamask-extension/compare/v10.14.0...v10.14.1
 [10.14.0]: https://github.com/MetaMask/metamask-extension/compare/v10.13.0...v10.14.0
 [10.13.0]: https://github.com/MetaMask/metamask-extension/compare/v10.12.4...v10.13.0
 [10.12.4]: https://github.com/MetaMask/metamask-extension/compare/v10.12.3...v10.12.4

app/manifest/_base.json

@@ -72,6 +72,5 @@
     "*://*.eth/",
     "notifications"
   ],
-  "short_name": "__MSG_appName__",
-  "web_accessible_resources": ["inpage.js", "phishing.html"]
+  "short_name": "__MSG_appName__"
 }

app/scripts/background.js

@@ -67,6 +67,12 @@ if (inTest || process.env.METAMASK_DEBUG) {
   global.metamaskGetState = localStore.get.bind(localStore);
 }
 
+const phishingPageUrl = new URL(process.env.PHISHING_WARNING_PAGE_URL);
+
+const ONE_SECOND_IN_MILLISECONDS = 1_000;
+// Timeout for initializing phishing warning page.
+const PHISHING_WARNING_PAGE_TIMEOUT = ONE_SECOND_IN_MILLISECONDS;
+
 // initialization flow
 initialize().catch(log.error);
 
@@ -134,9 +140,76 @@ async function initialize() {
   const initState = await loadStateFromPersistence();
   const initLangCode = await getFirstPreferredLangCode();
   await setupController(initState, initLangCode);
+  await loadPhishingWarningPage();
   log.info('MetaMask initialization complete.');
 }
 
+/**
+ * An error thrown if the phishing warning page takes too long to load.
+ */
+class PhishingWarningPageTimeoutError extends Error {
+  constructor() {
+    super('Timeout failed');
+  }
+}
+
+/**
+ * Load the phishing warning page temporarily to ensure the service
+ * worker has been registered, so that the warning page works offline.
+ */
+async function loadPhishingWarningPage() {
+  let iframe;
+  try {
+    const extensionStartupPhishingPageUrl = new URL(
+      process.env.PHISHING_WARNING_PAGE_URL,
+    );
+    // The `extensionStartup` hash signals to the phishing warning page that it should not bother
+    // setting up streams for user interaction. Otherwise this page load would cause a console
+    // error.
+    extensionStartupPhishingPageUrl.hash = '#extensionStartup';
+
+    iframe = window.document.createElement('iframe');
+    iframe.setAttribute('src', extensionStartupPhishingPageUrl.href);
+    iframe.setAttribute('sandbox', 'allow-scripts allow-same-origin');
+
+    // Create "deferred Promise" to allow passing resolve/reject to event handlers
+    let deferredResolve;
+    let deferredReject;
+    const loadComplete = new Promise((resolve, reject) => {
+      deferredResolve = resolve;
+      deferredReject = reject;
+    });
+
+    // The load event is emitted once loading has completed, even if the loading failed.
+    // If loading failed we can't do anything about it, so we don't need to check.
+    iframe.addEventListener('load', deferredResolve);
+
+    // This step initiates the page loading.
+    window.document.body.appendChild(iframe);
+
+    // This timeout ensures that this iframe gets cleaned up in a reasonable
+    // timeframe, and ensures that the "initialization complete" message
+    // doesn't get delayed too long.
+    setTimeout(
+      () => deferredReject(new PhishingWarningPageTimeoutError()),
+      PHISHING_WARNING_PAGE_TIMEOUT,
+    );
+    await loadComplete;
+  } catch (error) {
+    if (error instanceof PhishingWarningPageTimeoutError) {
+      console.warn(
+        'Phishing warning page timeout; page not guaraneteed to work offline.',
+      );
+    } else {
+      console.error('Failed to initialize phishing warning page', error);
+    }
+  } finally {
+    if (iframe) {
+      iframe.remove();
+    }
+  }
+}
+
 //
 // State and Persistence
 //
@@ -362,6 +435,10 @@ function setupController(initState, initLangCode) {
         remotePort.sender.origin === `chrome-extension://${browser.runtime.id}`;
     }
 
+    const senderUrl = remotePort.sender?.url
+      ? new URL(remotePort.sender.url)
+      : null;
+
     if (isMetaMaskInternalProcess) {
       const portStream = new PortStream(remotePort);
       // communication with popup
@@ -406,6 +483,15 @@ function setupController(initState, initLangCode) {
           );
         });
       }
+    } else if (
+      senderUrl &&
+      senderUrl.origin === phishingPageUrl.origin &&
+      senderUrl.pathname === phishingPageUrl.pathname
+    ) {
+      const portStream = new PortStream(remotePort);
+      controller.setupPhishingCommunication({
+        connectionStream: portStream,
+      });
     } else {
       if (remotePort.sender && remotePort.sender.tab && remotePort.sender.url) {
         const tabId = remotePort.sender.tab.id;