Closed Bug 323698 Opened 19 years ago Closed 17 years ago

phishing detector complains about <form> tag

Categories

(Thunderbird :: Mail Window Front End, defect)

Product:
Thunderbird
Component:
Mail Window Front End
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mozilla, Assigned: mscott)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Currently, any e-mail containing a HTML form is considered a phishing scam.

In phishingDetector.js:
if (!isEmailScam && msgDocument.getElementsByTagName("form").length > 0)
    isEmailScam = true;

HTML forms are used legitimately in many online applications, hence the phishing detector should be more specific when considering an HTML form to be an e-mail scam.

One solution is to allow HTML forms, but complain if the text of the form's submit button does not match the website of the form.

e.g. 
<form action="http://www.mozilla.com/submit.asp">
<input type="submit" value="http://www.mozilla.com/"/>
</form>

In this way, legitimate form creators can still use HTML form's within e-mail, without Thunderbird complaining, but scammers will have to display the site that the user is going to if they do not want Thunderbird to complain.


If convenient, I can complete the required development.

Reproducible: Always

Steps to Reproduce:
1. send an e-mail message containing a HTML form
2. retrieve the e-mail message containing the form and open it in Thunderbird


Actual Results:  
3. "Thunderbird thinks this message might be an e-mail scam"
See also bug 282500 comment 3 and later comments.
Looking at bug 282500, it was suggested that rather than blocking all HTML forms, when the user clicks the submit button, a warning box appears, along the lines of "You are about to submit information to [domain], do you wish to continue?" with a checkbox option "Don't warn me when sending information to [domain]"

This enables users to easily whitelist domains they use e-mail forms with, and still get warned before posting something to a scammer.

The company I work for use HTML forms, and they want Thunderbird to support this, so if convenient, I can look at the required development.


The code cited in comment 0 was replaced with the patch for bug 328749.  
Forms are now analyzed for the URL on any any 'action' attribute.
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.