Skip to content

fix: Handle messages from Android and iOS WebViews which detect iFrame urls and send them to React Native app#16706

Merged
Tyschenko merged 4 commits intomainfrom
feature/iframe_malicious_url_detection
Jul 21, 2025
Merged

fix: Handle messages from Android and iOS WebViews which detect iFrame urls and send them to React Native app#16706
Tyschenko merged 4 commits intomainfrom
feature/iframe_malicious_url_detection

Conversation

@Tyschenko
Copy link
Copy Markdown
Contributor

@Tyschenko Tyschenko commented Jun 26, 2025

Description

Issue: https://github.com/MetaMask/mobile-planning/issues/2227

We currently have an anti-fishing warning which is displayed when user opens a malicious website.
But there is a way to bypass this warning if you load a malicious website via iFrame.

Example of the malicious website: https://coin-qr.to/
Example of the website with a malicious iFrame: https://lol-au4.pages.dev/cb (opens coin-qr.to inside in the iFrame)
We can inject a JS script in the mobile browser that will check webpage's iFrames and report their URLs to the browser in MetaMask mobile app.

Related issues

Android change: MetaMask/react-native-webview-mm#60
iOS change: MetaMask/react-native-webview-mm#61

Manual testing steps

  1. Go to https://lol-au4.pages.dev/cb
  2. Make sure warning is displayed
  3. Go to coin-qr.to
  4. Make sure warning is displayed
  5. Go to uniswap.org
  6. Make sure NO warning is displayed

Screenshots/Recordings

Android and iOS videos:
https://github.com/user-attachments/assets/dba5ff6e-5c7b-41d6-9a8c-426dfb7dede6
https://github.com/user-attachments/assets/dd90b6d5-28c6-47de-9ee6-daa5f048ea44

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@Tyschenko Tyschenko requested review from a team and smilingkylan June 26, 2025 10:17
@Tyschenko Tyschenko added type-bug Something isn't working team-mobile-platform Mobile Platform team Run Smoke E2E labels Jun 26, 2025
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jun 26, 2025

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@Tyschenko Tyschenko added the No QA Needed Apply this label when your PR does not need any QA effort. label Jun 26, 2025
@Tyschenko Tyschenko mentioned this pull request Jun 26, 2025
Closed
7 tasks
@MetaMask MetaMask deleted a comment from github-actions Bot Jun 26, 2025
@metamaskbot
Copy link
Copy Markdown
Collaborator

metamaskbot commented Jun 26, 2025
edited
Loading

https://bitrise.io/ Bitrise

❌❌❌ pr_smoke_e2e_pipeline failed on Bitrise! ❌❌❌

Commit hash: 5e5bccb
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/61a9a820-35bd-4734-abb7-d8e79beaf93d

Note

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

Tip

  • Check the documentation if you have any doubts on how to understand the failure on bitrise

cursor[bot]

This comment was marked as outdated.

Sign in to view

@Tyschenko Tyschenko force-pushed the feature/iframe_malicious_url_detection branch from 60d2854 to efa4fd5 Compare July 21, 2025 09:49
cursor[bot]

This comment was marked as outdated.

Sign in to view

cursor[bot]

This comment was marked as outdated.

Sign in to view

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Jul 21, 2025
edited by metamaskbot
Loading

https://bitrise.io/ Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: 10a253f
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/fb34cded-8c58-4138-bff9-f04eaabfeb70

Note

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented Jul 21, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

smilingkylan
smilingkylan approved these changes Jul 21, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@smilingkylan smilingkylan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@Tyschenko Tyschenko added this pull request to the merge queue Jul 21, 2025
Merged via the queue into main with commit 3bc9b5b Jul 21, 2025
56 of 58 checks passed
@Tyschenko Tyschenko deleted the feature/iframe_malicious_url_detection branch July 21, 2025 15:52
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 21, 2025
@metamaskbot metamaskbot added the release-7.53.0 Issue or pull request that will be included in release 7.53.0 label Jul 21, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

+1 more reviewer

@smilingkylan smilingkylan smilingkylan approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

No QA Needed Apply this label when your PR does not need any QA effort. release-7.53.0 Issue or pull request that will be included in release 7.53.0 team-mobile-platform Mobile Platform team type-bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Tyschenko @metamaskbot @smilingkylan @gauthierpetetin