* PM-28516 alidate iframe and stylesheet URLs against their own origins to handle
cases where chrome assigns different extension ids in different contexts
* switch to regex to match exisiting match pattern
* updated regex to account for safari
* Correctly fill generated passwords and current password on plex.tv
* Correctly fill generated passwords and current password on plex.tv
* Leave existing forEach
* Add tests for changes
* turn off inline experience if host page aggressively competes for top of top-layer
* add alert message for top-layer hijack scenarios
* widen the backoff threshold
* refactor backoff logic to include popover attribute mutations
* improve getPageIsOpaque check
* do not attempt inline menu insertion if it has been disabled for security concerns
* fix typo
* cleanup
* add tests
* chore: update @types/firefox-webext-browser
* fix: add world: MAIN to Firefox page script registration
* review: add world property to registration type
This commit adds use_dynamic_url: true to the extension's web_accessible_resources configuration. When enabled, Chrome generates random session-based GUIDs for extension resource URLs instead of using the predictable static extension ID. This enhances privacy by making extension resource URLs unpredictable and prevents third-party enumeration of installed extensions.
The feature is supported in Chrome 102+ and changes resource URLs from chrome-extension://[static-id]/resource to chrome-extension://[random-guid]/resource, with GUIDs regenerating each browser session while maintaining all existing extension functionality.
Addresses: https://bitwarden.atlassian.net/browse/PM-28344
* PM-27900 harden iframe, origin route tightening and test updates
* reduce comments to make more legible
* Removes referrer check in favor of PM-27822 #17313bitwarden/clients@4206447cfe
* nake token optional since it is later set
* whitelist -> allowlist
* improve notes on unsafe
* improve content handler notes
* order allowlist
* improve jsdoc on ismessagefromextension method
* cover additional test cases
* rename verifytoken and document more clear, update referrer
---------
Co-authored-by: Miles Blackwood <mrobinson@bitwarden.com>
* premium upgrade nudge
* add specs
* clean up vault template and specs
* fix date comparison. add more specs for date
* fix spec
* fix specs
* make prop private
* PM-4903- added a check for auth status and popout tabs, if no popup tab and auth is locked, abandon autofill
* add test
* clear all notifications if unlock popout closed
* add more tests and use tabid for performance optimization
* feat: add support for IPC client managed session storage
* feat: update SDK
* fix: using undecorated service in jslib module directly
* feat: add test case for web
* chore: document why we use any type
* fix: `ipc` too short
* typo: omg
* Revert "typo: omg"
This reverts commit 559b05eb5a.
* Revert "fix: `ipc` too short"
This reverts commit 35fc99e10b.
* fix: use camelCase
* PM-26916 utilize opid on focused fields as first validation in order to avoid erroneously filling other similar fields
* extract logic to helper and take totp and multiple forms into account
* run prettier
* avoid filling with opid if already filled
* clean up comments and avoid early return so all fields are scanned
* add tests
* allow for search while vault is loading
* fix comment wording
* remove subscription return value - it is not used
* update `distinctUntilChanged` to account for tuple
* use feature flag to determine search pattern
* fix tests & lint issues
* fix lint errors part 2
* add import to overflow styles to override the overflow applied by virtual scrolling
* add position relative so absolute children display in scrolling context rather over the entire page
* add fade in skeleton to vault page
* refactor vault loading state to shared service
* disable search while loading
* add live announcement when vault is loading / loaded
* simplify announcement
* resolve CI issues
* add feature flag for skeletons
* add feature flag observables for loading state
* update component naming
* consolidated session timeout settings component
* rename preferences to appearance
* race condition bug on computed signal
* outdated header for browser
* unnecessary padding
* remove required on action, fix build
* rename localization key
* missing user id
* required
* cleanup task
* eslint fix signals rollback
* takeUntilDestroyed, null checks
* move browser specific logic outside shared component
* explicit input type
* input name
* takeUntilDestroyed, no toast
* unit tests
* cleanup
* cleanup, correct link to deprecation jira
* tech debt todo with jira
* missing web localization key when policy is on
* relative import
* extracting timeout options to component service
* duplicate localization key
* fix failing test
* subsequent timeout action selecting opening without dialog on first dialog cancellation
* default locale can be null
* unit tests failing
* rename, simplifications
* one if else feature flag
* timeout input component rendering before async pipe completion
* typing cleanup
* additional cleanup
* more typing fixes
* revert notification background changes
* fix DOM query service breakage
* do not run a fill_by_opid action if there is a nullish or empty value attribute
* type cleanup
* cleanup per review suggestions
* remove unused flag check
* add non-null assertion signposts
* additional cleanup
* add persistent callout in settings for non-premium users
* always call password reprompt in doAutofill
* ensure password reprompt is checked in all instances
* Revert "add persistent callout in settings for non-premium users"
This reverts commit d206832cd3.
* limit port to internal communications
* A few more internal-only ports
* fixup tests
disabled tests that are now failing with a race condition.
* Remove autofill team review requirement