From 913b7655688bbddd7d233d8d5e698f646268e2a1 Mon Sep 17 00:00:00 2001
From: Thomas Espach <tespach@duckduckgo.com>
Date: Wed, 20 Dec 2023 09:25:29 +0000
Subject: [PATCH 1/4] Change from PDF download to DMG download with 302
 redirect.

This specific test case was not implemented correctly, instead we need a 302 redirect with a different binary format since PDFs render inside the browser instead of forcing downloads.
---
 security/address-bar-spoofing/spoof-js-download-url.html | 4 ++--
 server.js                                                | 6 ++++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/security/address-bar-spoofing/spoof-js-download-url.html b/security/address-bar-spoofing/spoof-js-download-url.html
index af12852..fda82cb 100644
--- a/security/address-bar-spoofing/spoof-js-download-url.html
+++ b/security/address-bar-spoofing/spoof-js-download-url.html
@@ -10,8 +10,8 @@
     function run() {
       const w = open()
       w.opener = null
-      w.document.write('<h1>Not Third Party Site.</h1>')
-      w.location = 'https://bad.third-party.site/features/download/file/pdf'
+      w.document.write('<h1>Not DDG.</h1>')
+      w.location = '/security/address-bar-spoofing/download-redirect'
     }
   </script>
 </head>
diff --git a/server.js b/server.js
index b081daa..7609b87 100644
--- a/server.js
+++ b/server.js
@@ -255,6 +255,12 @@ app.get('/redirect', (req, res) => {
     res.end();
 });
 
+// Returns a 301 redirect to a download link of our browser
+// for use in the address bar spoofing test
+app.get('/security/address-bar-spoofing/download-redirect', (req, res) => {
+    res.redirect(301, "https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg");
+});
+
 app.use('/content-scope-scripts/', express.static('node_modules/@duckduckgo/content-scope-scripts/integration-test/test-pages/'));
 
 const blockingRoutes = require('./privacy-protections/request-blocking/server/routes');

From 3840b41c6910174c626558fc4a0772f5cd97396c Mon Sep 17 00:00:00 2001
From: Thomas Espach <tespach@duckduckgo.com>
Date: Wed, 20 Dec 2023 09:30:43 +0000
Subject: [PATCH 2/4] Single quotify.

---
 server.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/server.js b/server.js
index 7609b87..7ba834e 100644
--- a/server.js
+++ b/server.js
@@ -258,7 +258,7 @@ app.get('/redirect', (req, res) => {
 // Returns a 301 redirect to a download link of our browser
 // for use in the address bar spoofing test
 app.get('/security/address-bar-spoofing/download-redirect', (req, res) => {
-    res.redirect(301, "https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg");
+    res.redirect(301, 'https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg');
 });
 
 app.use('/content-scope-scripts/', express.static('node_modules/@duckduckgo/content-scope-scripts/integration-test/test-pages/'));

From bdede46cefec1f951aa61d78e1a21121654b85ac Mon Sep 17 00:00:00 2001
From: Thomas Espach <tespach@duckduckgo.com>
Date: Wed, 20 Dec 2023 10:16:10 +0000
Subject: [PATCH 3/4] Move security routes out of server.js.

---
 security/address-bar-spoofing/server/routes.js | 10 ++++++++++
 server.js                                      |  9 +++------
 2 files changed, 13 insertions(+), 6 deletions(-)
 create mode 100644 security/address-bar-spoofing/server/routes.js

diff --git a/security/address-bar-spoofing/server/routes.js b/security/address-bar-spoofing/server/routes.js
new file mode 100644
index 0000000..e05d963
--- /dev/null
+++ b/security/address-bar-spoofing/server/routes.js
@@ -0,0 +1,10 @@
+const express = require('express');
+const router = express.Router();
+
+// Returns a 301 redirect to a download link of our browser
+// for use in the download path test
+router.get('/download-redirect', (req, res) => {
+    res.redirect(301, 'https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg');
+});
+
+module.exports = router;
\ No newline at end of file
diff --git a/server.js b/server.js
index 7ba834e..6307fe6 100644
--- a/server.js
+++ b/server.js
@@ -255,12 +255,6 @@ app.get('/redirect', (req, res) => {
     res.end();
 });
 
-// Returns a 301 redirect to a download link of our browser
-// for use in the address bar spoofing test
-app.get('/security/address-bar-spoofing/download-redirect', (req, res) => {
-    res.redirect(301, 'https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg');
-});
-
 app.use('/content-scope-scripts/', express.static('node_modules/@duckduckgo/content-scope-scripts/integration-test/test-pages/'));
 
 const blockingRoutes = require('./privacy-protections/request-blocking/server/routes');
@@ -280,3 +274,6 @@ app.use('/features/client-hints', chRoutes);
 
 const clearDataRoutes = require('./features/clear-data/server/routes.js');
 app.use('/features/clear-data', clearDataRoutes);
+
+const addressBarSpoofingRoutes = require('./security/address-bar-spoofing/server/routes.js');
+app.use('/security/address-bar-spoofing', addressBarSpoofingRoutes);

From a9d504513f26099665bf0a5da1277ecd18c2a59d Mon Sep 17 00:00:00 2001
From: Thomas Espach <tespach@duckduckgo.com>
Date: Wed, 20 Dec 2023 10:20:42 +0000
Subject: [PATCH 4/4] Whitespace fix.

---
 security/address-bar-spoofing/server/routes.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/address-bar-spoofing/server/routes.js b/security/address-bar-spoofing/server/routes.js
index e05d963..4c279ca 100644
--- a/security/address-bar-spoofing/server/routes.js
+++ b/security/address-bar-spoofing/server/routes.js
@@ -7,4 +7,4 @@ router.get('/download-redirect', (req, res) => {
     res.redirect(301, 'https://staticcdn.duckduckgo.com/macos-desktop-browser/duckduckgo.dmg');
 });
 
-module.exports = router;
\ No newline at end of file
+module.exports = router;