refactor: Refactor inpage blocklist to avoid usage of regex (#8675)

## **Description** This PR fixes two bugs that occured as the result of using regex to identify URLs in our content script blocklist. The first issue is that we were only escaping the first `.` found in a URL when using the inpage blocklist. This meant that entries such as `ani.gamer.com.tw` would have their first period escaped for regex parsing, but subsequent periods were treated as regex wildcards. This could lead to and unintentionally matching on URLs such as `ani.gamerxcom.tw` etc. The second issue is that we were missing a leading anchor `^` in the regex expression. This means that we would block the domain if the matched string occurred anywhere in the URL. For an example, `https://google.com?search=uscourts.gov` would be a blocked domain since it ended in `uscourts.gov`. Adding the leading anchor addresses this so we only match the correct domain. To avoid future regex complexities, this code has been refactored to use built in javascript URL parsing instead. ## **Related issues** MetaMask/mobile-planning#1571 ## **Manual testing steps** ## **Pre-merge author checklist** - [x] I’ve followed [MetaMask Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've clearly explained what problem this PR is solving and how it is solved. - [x] I've linked related issues - [ ] I've included manual testing steps - [x] I've included screenshots/recordings if applicable - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [X] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [X] I’ve properly set the pull request status: - [X] In case it's not yet "ready for review", I've set it to "draft". - [X] In case it's "ready for review", I've changed it from "draft" to "non-draft". ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. Note: Issue with testing has been created here: #9009
MetaMask · Mar 20, 2024 · 5bf8452 · 5bf8452
1 parent ffc7225
commit 5bf8452
Showing 1 changed file with 28 additions and 14 deletions.
diff --git a/scripts/inpage-bridge/content-script/index.js b/scripts/inpage-bridge/content-script/index.js
@@ -105,31 +105,45 @@ function documentElementCheck() {
  * @returns {boolean} {@code true} if the current domain is blocked
  */
 function blockedDomainCheck() {
+  // If making any changes, please also update the same list found in the MetaMask-Mobile & SDK repositories
   const blockedDomains = [
+    'execution.consensys.io',
+    'execution.metamask.io',
     'uscourts.gov',
     'dropbox.com',
     'webbyawards.com',
-    'cdn.shopify.com/s/javascripts/tricorder/xtld-read-only-frame.html',
     'adyen.com',
     'gravityforms.com',
     'harbourair.com',
     'ani.gamer.com.tw',
     'blueskybooking.com',
     'sharefile.com',
+    'battle.net',
   ];
-  const currentUrl = window.location.href;
-  let currentRegex;
-  for (let i = 0; i < blockedDomains.length; i++) {
-    const blockedDomain = blockedDomains[i].replace('.', '\\.');
-    currentRegex = new RegExp(
-      `(?:https?:\\/\\/)(?:(?!${blockedDomain}).)*$`,
-      'u',
-    );
-    if (!currentRegex.test(currentUrl)) {
-      return true;
-    }
-  }
-  return false;
+
+  // Matching will happen based on the hostname, and path
+  const blockedUrlPaths = [
+    'cdn.shopify.com/s/javascripts/tricorder/xtld-read-only-frame.html',
+  ];
+
+  const { hostname: currentHostname, pathname: currentPathname } =
+    window.location;
+
+  const trimTrailingSlash = (str) =>
+    str.endsWith('/') ? str.slice(0, -1) : str;
+
+  return (
+    blockedDomains.some(
+      (blockedDomain) =>
+        blockedDomain === currentHostname ||
+        currentHostname.endsWith(`.${blockedDomain}`),
+    ) ||
+    blockedUrlPaths.some(
+      (blockedUrlPath) =>
+        trimTrailingSlash(blockedUrlPath) ===
+        trimTrailingSlash(currentHostname + currentPathname),
+    )
+  );
 }
 
 /**