From e87a1c096c5c6542c03753005cdad048b1ccc3cd Mon Sep 17 00:00:00 2001
From: Cris Barreiro <cbarreiro@duckduckgo.com>
Date: Mon, 9 Dec 2024 11:11:59 +0100
Subject: [PATCH] Check if request belongs to current page

---
 .../app/browser/BrowserWebViewClient.kt       |  2 +-
 .../app/browser/WebViewRequestInterceptor.kt  |  3 ++-
 .../api/MaliciousSiteProtection.kt            |  4 +---
 .../impl/RealMaliciousSiteProtection.kt       | 21 +++++--------------
 4 files changed, 9 insertions(+), 21 deletions(-)

diff --git a/app/src/main/java/com/duckduckgo/app/browser/BrowserWebViewClient.kt b/app/src/main/java/com/duckduckgo/app/browser/BrowserWebViewClient.kt
index 23b7edb1b6db..cc4be064a52f 100644
--- a/app/src/main/java/com/duckduckgo/app/browser/BrowserWebViewClient.kt
+++ b/app/src/main/java/com/duckduckgo/app/browser/BrowserWebViewClient.kt
@@ -165,7 +165,7 @@ class BrowserWebViewClient @Inject constructor(
             Timber.v("shouldOverride webViewUrl: ${webView.url} URL: $url")
             webViewClientListener?.onShouldOverride()
 
-            if (phishingAndMalwareDetector.shouldOverrideUrlLoading(url, webView, isForMainFrame, isRedirect, onSiteBlockedAsync)) {
+            if (phishingAndMalwareDetector.shouldOverrideUrlLoading(url, webView.url?.toUri(), isForMainFrame, isRedirect, onSiteBlockedAsync)) {
                 // TODO (cbarreiro): Handle site blocked synchronously
                 return true
             }
diff --git a/app/src/main/java/com/duckduckgo/app/browser/WebViewRequestInterceptor.kt b/app/src/main/java/com/duckduckgo/app/browser/WebViewRequestInterceptor.kt
index 2241c5f72003..ee7c2e360da6 100644
--- a/app/src/main/java/com/duckduckgo/app/browser/WebViewRequestInterceptor.kt
+++ b/app/src/main/java/com/duckduckgo/app/browser/WebViewRequestInterceptor.kt
@@ -102,7 +102,8 @@ class WebViewRequestInterceptor(
         val onSiteBlockedAsync: () -> Unit = {
             // TODO (cbarreiro): Handle site blocked asynchronously
         }
-        maliciousSiteProtection.shouldIntercept(request, webView, documentUri, onSiteBlockedAsync)?.let {
+
+        maliciousSiteProtection.shouldIntercept(request, documentUri, onSiteBlockedAsync)?.let {
             // TODO (cbarreiro): Handle site blocked synchronously
             return it
         }
diff --git a/malicious-site-protection/malicious-site-protection-api/src/main/kotlin/com/duckduckgo/malicioussiteprotection/api/MaliciousSiteProtection.kt b/malicious-site-protection/malicious-site-protection-api/src/main/kotlin/com/duckduckgo/malicioussiteprotection/api/MaliciousSiteProtection.kt
index 8d2f97cd67dc..46111f9a7d20 100644
--- a/malicious-site-protection/malicious-site-protection-api/src/main/kotlin/com/duckduckgo/malicioussiteprotection/api/MaliciousSiteProtection.kt
+++ b/malicious-site-protection/malicious-site-protection-api/src/main/kotlin/com/duckduckgo/malicioussiteprotection/api/MaliciousSiteProtection.kt
@@ -19,12 +19,10 @@ package com.duckduckgo.malicioussiteprotection.api
 import android.net.Uri
 import android.webkit.WebResourceRequest
 import android.webkit.WebResourceResponse
-import android.webkit.WebView
 
 interface MaliciousSiteProtection {
     suspend fun shouldIntercept(
         request: WebResourceRequest,
-        webView: WebView,
         documentUri: Uri?,
         onSiteBlockedAsync: () -> Unit,
     ): WebResourceResponse?
@@ -33,7 +31,7 @@ interface MaliciousSiteProtection {
 
     fun shouldOverrideUrlLoading(
         url: Uri,
-        webView: WebView,
+        webViewUrl: Uri?,
         isForMainFrame: Boolean,
         isRedirect: Boolean,
         onSiteBlockedAsync: () -> Unit,
diff --git a/malicious-site-protection/malicious-site-protection-impl/src/main/kotlin/com/duckduckgo/malicioussiteprotection/impl/RealMaliciousSiteProtection.kt b/malicious-site-protection/malicious-site-protection-impl/src/main/kotlin/com/duckduckgo/malicioussiteprotection/impl/RealMaliciousSiteProtection.kt
index 1adfdbcd1093..cfac9d01e46e 100644
--- a/malicious-site-protection/malicious-site-protection-impl/src/main/kotlin/com/duckduckgo/malicioussiteprotection/impl/RealMaliciousSiteProtection.kt
+++ b/malicious-site-protection/malicious-site-protection-impl/src/main/kotlin/com/duckduckgo/malicioussiteprotection/impl/RealMaliciousSiteProtection.kt
@@ -19,7 +19,6 @@ package com.duckduckgo.malicioussiteprotection.impl
 import android.net.Uri
 import android.webkit.WebResourceRequest
 import android.webkit.WebResourceResponse
-import android.webkit.WebView
 import androidx.core.net.toUri
 import com.duckduckgo.app.di.AppCoroutineScope
 import com.duckduckgo.app.di.IsMainProcess
@@ -33,7 +32,6 @@ import java.net.URLDecoder
 import javax.inject.Inject
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.launch
-import kotlinx.coroutines.withContext
 import org.json.JSONObject
 import timber.log.Timber
 
@@ -75,13 +73,13 @@ class RealMaliciousSiteProtection @Inject constructor(
     private val processedUrls = mutableListOf<String>()
 
     private fun shouldIntercept(url: Uri, onSiteBlockedAsync: () -> Unit): Boolean {
+        Timber.tag("PhishingAndMalwareDetector").d("shouldIntercept $url")
         // TODO (cbarreiro): Implement the logic to check if the URL is malicious
         return false
     }
 
     override suspend fun shouldIntercept(
         request: WebResourceRequest,
-        webView: WebView,
         documentUri: Uri?,
         onSiteBlockedAsync: () -> Unit,
     ): WebResourceResponse? {
@@ -104,20 +102,13 @@ class RealMaliciousSiteProtection @Inject constructor(
             return null
         }
 
-        Timber.tag("PhishingAndMalwareDetector").d("shouldIntercept $decodedUrl, referer ${request.requestHeaders["Referer"]}")
-
-        if (request.isForMainFrame) {
+        if (request.isForMainFrame && decodedUrl.toUri() == documentUri) {
             if (shouldIntercept(decodedUrl.toUri(), onSiteBlockedAsync)) {
                 return WebResourceResponse(null, null, null)
             }
             processedUrls.add(decodedUrl)
-        } else if (
-            isForIframe(request)
-        ) {
+        } else if (isForIframe(request) && documentUri?.host == request.requestHeaders["Referer"]?.toUri()?.host) {
             if (shouldIntercept(decodedUrl.toUri(), onSiteBlockedAsync)) {
-                withContext(dispatchers.main()) {
-                    webView.stopLoading()
-                }
                 return WebResourceResponse(null, null, null)
             }
             processedUrls.add(decodedUrl)
@@ -127,7 +118,7 @@ class RealMaliciousSiteProtection @Inject constructor(
 
     override fun shouldOverrideUrlLoading(
         url: Uri,
-        webView: WebView,
+        webViewUrl: Uri?,
         isForMainFrame: Boolean,
         isRedirect: Boolean,
         onSiteBlockedAsync: () -> Unit,
@@ -143,9 +134,7 @@ class RealMaliciousSiteProtection @Inject constructor(
             return false
         }
 
-        Timber.tag("PhishingAndMalwareDetector").d("shouldOverrideUrlLoading $decodedUrl")
-
-        if (isForMainFrame) {
+        if (isForMainFrame && decodedUrl.toUri() == webViewUrl) {
             if (shouldIntercept(decodedUrl.toUri(), onSiteBlockedAsync)) {
                 return true
             }