Closed
Bug 323698
Opened 19 years ago
Closed 17 years ago
phishing detector complains about <form> tag
Categories
(Thunderbird :: Mail Window Front End, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mozilla, Assigned: mscott)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Currently, any e-mail containing a HTML form is considered a phishing scam. In phishingDetector.js: if (!isEmailScam && msgDocument.getElementsByTagName("form").length > 0) isEmailScam = true; HTML forms are used legitimately in many online applications, hence the phishing detector should be more specific when considering an HTML form to be an e-mail scam. One solution is to allow HTML forms, but complain if the text of the form's submit button does not match the website of the form. e.g. <form action="http://www.mozilla.com/submit.asp"> <input type="submit" value="http://www.mozilla.com/"/> </form> In this way, legitimate form creators can still use HTML form's within e-mail, without Thunderbird complaining, but scammers will have to display the site that the user is going to if they do not want Thunderbird to complain. If convenient, I can complete the required development. Reproducible: Always Steps to Reproduce: 1. send an e-mail message containing a HTML form 2. retrieve the e-mail message containing the form and open it in Thunderbird Actual Results: 3. "Thunderbird thinks this message might be an e-mail scam"
See also bug 282500 comment 3 and later comments.
Reporter | ||
Comment 2•19 years ago
|
||
Looking at bug 282500, it was suggested that rather than blocking all HTML forms, when the user clicks the submit button, a warning box appears, along the lines of "You are about to submit information to [domain], do you wish to continue?" with a checkbox option "Don't warn me when sending information to [domain]" This enables users to easily whitelist domains they use e-mail forms with, and still get warned before posting something to a scammer. The company I work for use HTML forms, and they want Thunderbird to support this, so if convenient, I can look at the required development.
Comment 3•17 years ago
|
||
The code cited in comment 0 was replaced with the patch for bug 328749. Forms are now analyzed for the URL on any any 'action' attribute.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•