User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:18.104.22.168) Gecko/20080311 Firefox/22.214.171.124 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:126.96.36.199) Gecko/20080311 Firefox/188.8.131.52 if you report google.com as pishing and then open a window with a frame containing google.com. the form page not show the pishing alert. Reproducible: Always Steps to Reproduce: create a new page containing a pishing side in a form. showld be confidential because the hackers can make pages that contains frames unsigned as pishing
This is fixed in Firefox 3. I'm not sure which patch fixed it -- maybe the one in bug 384941? I tested with: data:text/html,<iframe src="http://www.mozilla.com/firefox/its-a-trap.html"></iframe>
Phishing is different from malware. Phishing is primarily a mail-borne illness so we really only have to track the top-level sites that get sent out in spam mail (and web links to a lesser extent). Adding iframe checking doesn't buy you much in terms of effectiveness, and in our case bought us nothing since our data partner (Google) was only tracking top-level URIs. Evil-doers _could_ frame known phishing pages, but then they have to give out the new link and then that one gets added to the list, too. Malware is a different issue: malware in a frame can infect you whether you see it or not. Invisible malware frames are commonly injected on perfectly legitimate (but hacked) sites, often all at once as vulnerabilities in common site software is found. Protecting against that kind of threat involved significant changes to both what we checked for malware, and the structure of the "bad site" data we get from Google. The fact that our anti-phishing behavior changed to detect framed phishing sites is a side-effect of it being a subset of the new anti-malware feature, not because we thought the FF2 behavior was deficient.