Provide way for users to bypass phishing warning

[danfinlay]

Obviously it should be hard to do, but some users are pros and know what they're doing.

Example: One user edited their local DNS to resolve etherdelta to the correct IP, so even when the DNS was hijacked, they wanted their resolution respected.

[ghost]

some users are pros and know what they're doing

Hard to do should be really hard to do. Users will just get socially engineered to following the override steps if Metamask puts this into the UI, so this may become a new attack vector on the plugin. Self-XSS using the browser's "pro" developer tools was used in a 2014 Facebook scam and pages trying to phish will just make up a bullshit reason for the user to need to follow the override steps, such as saying "we recently changed hosts" which became a rumor in the EtherDelta DNS hijacking case today. There should probably be user copy and a warning that explicitly states that if you're being told you need to do this, you are being tricked.

[bdresser]

It's time to make this happen 😄

Let's follow the chrome pattern and include a small link that says Advanced

Clicking the Advanced link should show some text that says

This site has been blocked because it is known to be dangerous. Visiting the website may permanently compromise your keys, track your account activity, or attempt to phish your funds. Proceed at your own caution; MetaMask is not responsible for support or any loss of funds that occurs on this site.

And then a red button that says Proceed Anyways that actually takes them through to the next page.

[cjeria]

@bitpshr @bdresser @danfinlay Posting an updated design for feedback on the phishing warning page.

[bdresser]

@cjeria this is definitely an improvement on what we have, thank you!

At this point, I'd rather just get the extra pass-through link added to the page we have. Given the time-sensitivity I don't think a full re-style is necessary.

As described above, I also think we should hide the link to "Proceed anyway" behind an "Advanced" section to give an extra layer of warning.

cc @whymarrh

[cjeria]

@bdresser This shouldn't take much time to implement if someone proficient in html/css picks this up. In my experience with front-end, it would take me ~30min max to build out the style for this. Getting the link to the domain being visited may take a bit longer but I'll let @whymarrh or @bitpshr be the judge of that.

WRT adding an advanced section, I don't think it's totally necessary as this page if very obviously communicating the message, but that's just my two cents.

update: Since this is a pressing issue, the suggested design can probably be implemented after the quick version.

[whymarrh]

#5406 doesn't include the redesign, but I'll implement that in a 2nd PR very soon (thanks @cjeria btw)