You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Feature request]
tl;dr
Each website in web.app exists on at least two locations *.firebase.com *.web.app
could also be on a third party domain (outside of scope)
If possible - add an extra check for new PRs in the CI/CD pipeline to auto add *.firebaseapp.com to entries which are *.web.app.
And vice versa - auto add *.web.app to *.firebase.com entries. Not a blanket ban, just the subdomains.
We can not afford the luxury of blanket blocking web app or firebase, as it would cause a ton of FP flak.
Real world examples
For instance now we have portal-chain.web.app = exists in https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/main/src/config.json and thus is blocked (expected)
However the same page is always accessible on an alternate place via same subdomain + firebaseapp.com
Resulting in the same scam not being blocked on it's alternate placeholder:
⛔portal-chain.web.app = blocked
❌portal-chain.firebaseapp.com = Not blocked
This opens a window of opportunity to scammers for scams which were already identified. Unless both entries are blocked, one does not produce a warning,
So lets say contributor adds randomscam.web.app to the blocked array
then CI CD checks ok, do we have the same but on firebase blocked?
Upon blocking randomscam.web.app = auto block randomscam.firebaseapp.com
Or reverse - contributor adds randomscam.firebaseapp.com to the blocked array
then CI CD checks ok, do we have the same firebase entry, but on web.app blocked?
Upon blocking randomscam.firebaseapp.com = auto block randomscam.web.app
This would automatically reduce the attack vector footprint of web.app and .firebase.app shenanigan entries, without the burden of manually adding both each time.
[Feature request]
tl;dr
Each website in web.app exists on at least two locations
*.firebase.com
*.web.app
could also be on a third party domain (outside of scope)
If possible - add an extra check for new PRs in the CI/CD pipeline to auto add
*.firebaseapp.com
to entries which are*.web.app
.And vice versa - auto add
*.web.app
to*.firebase.com
entries. Not a blanket ban, just the subdomains.We can not afford the luxury of blanket blocking web app or firebase, as it would cause a ton of FP flak.
Real world examples
For instance now we have
portal-chain.web.app
= exists inhttps://raw.githubusercontent.com/MetaMask/eth-phishing-detect/main/src/config.json
and thus is blocked (expected)However the same page is always accessible on an alternate place via same subdomain +
firebaseapp.com
Resulting in the same scam not being blocked on it's alternate placeholder:
⛔
portal-chain.web.app
= blocked❌
portal-chain.firebaseapp.com
= Not blockedThis opens a window of opportunity to scammers for scams which were already identified. Unless both entries are blocked, one does not produce a warning,
So lets say contributor adds
randomscam.web.app
to the blocked arraythen CI CD checks
ok, do we have the same but on firebase blocked?
Upon blocking
randomscam.web.app
= auto blockrandomscam.firebaseapp.com
Or reverse - contributor adds
randomscam.firebaseapp.com
to the blocked arraythen CI CD checks
ok, do we have the same firebase entry, but on web.app blocked?
Upon blocking
randomscam.firebaseapp.com
= auto blockrandomscam.web.app
This would automatically reduce the attack vector footprint of
web.app
and.firebase.app
shenanigan entries, without the burden of manually adding both each time.cc @409H @samczsun as discussed
The text was updated successfully, but these errors were encountered: