release(runway): cherry-pick feat: path based blocking

[runway-github]

• feat: path based blocking (feat: path based blocking cp-13.4.3 #36634)

Description

Introduces URL path based blocking within the extension. This allows
websites like example.com/path to be blocked rather than blocking all
of example.com.

Changelog

CHANGELOG entry: Added path-based blocking for URLs

Related issues

Fixes:

Manual testing steps

1. Go to sites.google.com/view/aoooop/aave-com and make sure that it
   you are redirected to the Phishing Warning Page
2. Go to sites.google.com/view/aoooop/ and make sure that it does not
   redirect you.
3. Go to sites.google.com/view/aoooop/aave-com/path and make sure that
   you are redirected to the Phishing Warning Page.
4. Click proceed anyway
5. Going to sites.google.com/view/aoooop/aave-com should also no
   longer redirect to the Phishing Warning Page.
6. Going to sites.google.com/view/aoooop/aave-com/path should also no
   longer redirect to the Phishing Warning Page (implicit in step 4).

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor
  Docs and MetaMask
  Extension Coding
  Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format
  if applicable
• I’ve applied the right labels on the PR (see labeling
  guidelines).
  Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the
  app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described
  in the ticket it closes and includes the necessary testing evidence such
  as recordings and or screenshots.

---

Note

Adds path-based phishing detection (blocklistPaths + whitelistPaths), updates diffs API to v2, and extends tests/mocks/policies accordingly.

• Phishing detection:
  • Introduce PathTrie with insertToTrie, deleteFromTrie, matchedPathPrefix, and helpers for efficient path checks.
  • Extend PhishingDetector to block by blocklistPaths and expose blockingPath(url).
  • Update PhishingController:
    • Support whitelistPaths state and path-based bypass logic.
    • Use matchedPathPrefix to allow whitelisted paths.
    • Parse paths via getPathnameFromUrl.
• Utils:
  • Add getHostnameAndPathComponents and getPathnameFromUrl.
  • Enhance applyDiffs to handle blocklistPaths with trie ops and deep copy (deepCopyPathTrie).
  • Keep domain lists processing unchanged for hostnames.
• API:
  • Change hotlist diffs endpoint to '/v2/diffsSince'.
• State/metadata:
  • Persist whitelistPaths; default state includes empty trie; update removal keys and metrics allowlist.
• Tests & mocks:
  • Update phishing mocks to new stalelist shape and add blocklistPaths support.
  • Add E2E fixtures/pages for path scenarios; new tests for blocklisted and whitelisted paths; adjust existing tests for v2 endpoint.
  • Update unit tests to include blocklistPaths in list state.
• Build/security:
  • Update LavaMoat policies with PathTrie_* globals.
  • Patch @metamask/phishing-controller via Yarn; bump related deps (@metamask/base-controller, @metamask/controller-utils, @metamask/messenger, @metamask/utils, @metamask/phishing-warning).

^{Written by Cursor Bugbot for commit 5b54350. This will update automatically on new commits. Configure here.}

---

Co-authored-by: augmentedmode [email protected] 8bdd1e1

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[metamaskbot]

✨ Files requiring CODEOWNER review ✨

🔑 @MetaMask/accounts-engineers (1 files, +1 -0)

• 📁 app/
  • 📁 scripts/
    • 📁 lib/
      • 📁 snap-keyring/
        • 📁 utils/
          • 📄 isBlockedUrl.test.ts +1 -0

---

🧩 @MetaMask/extension-devs (4 files, +20 -0)

• 📁 lavamoat/
  • 📁 browserify/
    • 📁 beta/
      • 📄 policy.json +5 -0
    • 📁 experimental/
      • 📄 policy.json +5 -0
    • 📁 flask/
      • 📄 policy.json +5 -0
    • 📁 main/
      • 📄 policy.json +5 -0

---

📜 @MetaMask/policy-reviewers (4 files, +20 -0)

• 📁 lavamoat/
  • 📁 browserify/
    • 📁 beta/
      • 📄 policy.json +5 -0
    • 📁 experimental/
      • 📄 policy.json +5 -0
    • 📁 flask/
      • 📄 policy.json +5 -0
    • 📁 main/
      • 📄 policy.json +5 -0

Tip

Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers.

---

🔗 @MetaMask/supply-chain (4 files, +20 -0)

• 📁 lavamoat/
  • 📁 browserify/
    • 📁 beta/
      • 📄 policy.json +5 -0
    • 📁 experimental/
      • 📄 policy.json +5 -0
    • 📁 flask/
      • 📄 policy.json +5 -0
    • 📁 main/
      • 📄 policy.json +5 -0

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​messenger@​0.2.0 ⏵ 0.3.0			+1	-1
	@​metamask/​base-controller@​8.3.0 ⏵ 8.4.1				+1
	@​metamask/​controller-utils@​11.12.0 ⏵ 11.14.1	+1		+1	+3
	@​metamask/​utils@​11.7.0 ⏵ 11.8.1	+1		+1	-2
	@​metamask/​phishing-warning@​5.0.1 ⏵ 5.1.0	+8		+7	+10

View full report

[metamaskbot]

📊 Page Load Benchmark Results

Current Commit: ecbd824 | Date: 10/13/2025

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.05s (±73ms) 🟡 | historical mean value: 1.05s ⬇️ (historical data)
• domContentLoaded-> current mean value: 735ms (±70ms) 🟢 | historical mean value: 739ms ⬇️ (historical data)
• firstContentfulPaint-> current mean value: 75ms (±13ms) 🟢 | historical mean value: 77ms ⬇️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.05s	73ms	1.01s	1.33s	1.28s	1.33s
domContentLoaded	735ms	70ms	697ms	1.01s	945ms	1.01s
firstPaint	75ms	13ms	60ms	188ms	84ms	188ms
firstContentfulPaint	75ms	13ms	60ms	188ms	84ms	188ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

---

Results generated automatically by MetaMask CI

[metamaskbot]

Builds ready [ecbd824]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1258 ± 73 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Home	uiStartup	1258	1112	1496	73	1311	1363
			load	1090	960	1299	68	1140	1193
			domContentLoaded	1081	953	1284	67	1133	1183
			domInteractive	18	14	45	6	18	36
			firstPaint	598	94	1294	437	1092	1163
			backgroundConnect	251	232	433	21	254	270
			firstReactRender	25	17	51	6	27	39
			getState	14	5	67	8	17	28
			initialActions	5	1	50	6	6	11
			loadScripts	838	719	1015	66	891	936
			setupStore	10	6	23	3	10	17
	Webpack	Home	uiStartup	1975	1424	2521	277	2158	2457
			load	1589	1118	1937	211	1754	1861
			domContentLoaded	1579	1114	1923	213	1748	1850
			domInteractive	17	12	92	12	15	45
			firstPaint	163	66	407	66	188	287
			backgroundConnect	33	15	291	38	31	56
			firstReactRender	82	39	330	60	78	305
			getState	30	5	289	69	14	270
			initialActions	6	2	31	5	6	20
			loadScripts	1575	1112	1911	212	1745	1838
			setupStore	18	6	248	35	13	25
Firefox	Browserify	Home	uiStartup	1368	1209	1805	99	1422	1537
			load	1186	1061	1367	67	1247	1305
			domContentLoaded	1185	1060	1366	67	1247	1305
			domInteractive	97	30	292	47	110	214
			firstPaint	NaN	NaN	NaN	NaN	NaN	NaN
			backgroundConnect	31	19	135	13	35	45
			firstReactRender	27	23	60	6	27	34
			getState	7	3	108	10	6	12
			initialActions	4	0	47	7	3	12
			loadScripts	1161	1042	1298	63	1221	1258
			setupStore	11	4	196	20	8	25
	Webpack	Home	uiStartup	1557	1362	1863	133	1665	1836
			load	1326	1167	1604	120	1421	1567
			domContentLoaded	1326	1167	1603	120	1420	1566
			domInteractive	105	33	314	53	105	280
			firstPaint	NaN	NaN	NaN	NaN	NaN	NaN
			backgroundConnect	33	21	100	10	38	48
			firstReactRender	37	31	49	3	38	41
			getState	6	3	13	2	7	11
			initialActions	3	1	10	2	3	6
			loadScripts	1300	1131	1584	121	1398	1539
			setupStore	11	5	141	15	9	20

[metamaskbot]

📊 Page Load Benchmark Results

Current Commit: 5b54350 | Date: 10/13/2025

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.06s (±78ms) 🟡 | historical mean value: 1.05s ⬆️ (historical data)
• domContentLoaded-> current mean value: 741ms (±85ms) 🟢 | historical mean value: 739ms ⬆️ (historical data)
• firstContentfulPaint-> current mean value: 89ms (±126ms) 🟢 | historical mean value: 77ms ⬆️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.06s	78ms	1.01s	1.44s	1.29s	1.44s
domContentLoaded	741ms	85ms	699ms	1.28s	969ms	1.28s
firstPaint	89ms	126ms	60ms	1.34s	88ms	1.34s
firstContentfulPaint	89ms	126ms	60ms	1.34s	88ms	1.34s
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

---

Results generated automatically by MetaMask CI

[metamaskbot]

Builds ready [5b54350]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1239 ± 72 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Home	uiStartup	1239	1104	1440	72	1270	1383
			load	1071	954	1260	65	1103	1206
			domContentLoaded	1062	941	1253	65	1092	1198
			domInteractive	18	14	47	6	17	38
			firstPaint	548	92	1217	415	1046	1175
			backgroundConnect	253	240	354	13	256	279
			firstReactRender	25	16	89	9	29	40
			getState	15	6	92	12	19	29
			initialActions	5	1	69	8	6	13
			loadScripts	817	692	999	64	849	945
			setupStore	10	7	23	3	11	17
	Webpack	Home	uiStartup	1906	1468	2506	284	2125	2430
			load	1528	1178	1926	214	1691	1848
			domContentLoaded	1521	1172	1915	213	1687	1836
			domInteractive	17	12	83	13	14	41
			firstPaint	168	65	471	67	182	297
			backgroundConnect	27	13	71	10	28	56
			firstReactRender	91	36	340	74	79	329
			getState	32	5	304	73	13	281
			initialActions	6	2	24	5	5	19
			loadScripts	1517	1169	1904	212	1685	1824
			setupStore	14	6	244	23	13	23
Firefox	Browserify	Home	uiStartup	1415	1218	1782	120	1486	1696
			load	1221	1068	1519	83	1283	1351
			domContentLoaded	1220	1068	1518	83	1282	1350
			domInteractive	107	35	505	65	111	239
			firstPaint	NaN	NaN	NaN	NaN	NaN	NaN
			backgroundConnect	38	21	184	28	38	104
			firstReactRender	28	24	79	7	29	34
			getState	9	3	60	11	7	43
			initialActions	3	0	14	2	3	8
			loadScripts	1193	1048	1471	79	1251	1314
			setupStore	9	4	33	5	8	22
	Webpack	Home	uiStartup	1535	1312	1886	162	1674	1850
			load	1307	1113	1584	136	1403	1560
			domContentLoaded	1307	1113	1583	136	1402	1559
			domInteractive	106	35	297	60	102	287
			firstPaint	NaN	NaN	NaN	NaN	NaN	NaN
			backgroundConnect	33	19	87	11	38	46
			firstReactRender	36	30	54	4	37	44
			getState	7	3	155	15	6	10
			initialActions	4	1	106	10	3	5
			loadScripts	1283	1094	1562	138	1381	1541
			setupStore	9	5	82	8	8	17