1258542 - "Help > Report deceptive site..." should report principal or referrer for data: documents

Status: RESOLVED WONTFIX

(Toolkit :: Safe Browsing, enhancement)

Description

[Jason Spiro]

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160316030233

Steps to reproduce:

1.  An email directed me to a phishing page.

hXXp://northwestbusinesslife.co.uk/cache/domain/secure-domains/document/login.php

NOTE:  Do not enter any of your real passwords into that site!  If you do, the site may attempt to defraud all your friends and family and cheat them out of their money.

2.  The page used a zero-second meta-refresh tag to redirect me to a data URI which held a second phishing page.

3.  I decided to report the second page.


Actual results:

1.  I pressed Alt+H to open the Help menu.

2.  I tried to choose "Report deceptive site..." but it was grayed out.


Expected results:

"Report deceptive site..." should not be grayed out.  Instead, it should be enabled.  If I click it, it should automatically report the first phishing page — the page which redirected me to the data URI.

Comment 1

[Jason Spiro]

I'm using Nightly 48.0a1 (2016-03-16) on Windows 10.

Comment 2

[Kohei Yoshino]

You can report the phishing site at https://www.google.com/safebrowsing/report_phish/?tpl=mozilla

Comment 3

[Daniel Veditz [:dveditz]]

This bug is not to report that specific site but rather to point out ways malicious sites make it hard to report. The best option when faced with a data: url is to look at the principal and offer to report that (if it's a Web scheme). The referrer might do in a pinch, but that will just lead to sites doing multiple redirects (or use the meta referrer policy) to clear it.

Comment 4

[François Marier [:francois]]

We've decided to block the problematic data: URI navigations in the first place (see bug 1380959) so this problem will go away and there will not be a need to report these phishing "URLs".