clients/apps/browser
Daniel Riera 3de3bee08f
[PM-27821]Add validation of extension origin for uses of window.postMessage (#17476)
* PM-27821 - Replace chrome.runtime.getURL() with BrowserApi.getRuntimeURL() for consistency
- Add extension origin validation for all window.postMessage calls
- Implement token-based authentication for inline menu communications
- Add message source validation (event.source === globalThis.parent)
- Add command presence validation (- Update notification bar to validate message origins and commands
- Add extensionOrigin property to services using postMessage
- Generate session tokens for inline menu containers (32-char random)
- Validate tokens in message handlers to prevent unauthorized commands

* Add explicit token validation

* only set when receiving the trusted initNotificationBar message

* await windowmessageorigin before posting to parent

* fix tests

* the parent must include its origin in the message for notification bar race condition

* reduce if statements to one block and comment

* extract parentOrigin from the URL and set windoMessageOrigin accordingly

* consolidate if statements

* add bar.spec file

* fix merge conflict
2025-11-25 13:42:46 -05:00
..
.vscode Multi root workspace tweaks (#2858) 2022-06-13 21:39:36 -05:00
config Remove showPasswordless conditionals (#11928) 2024-11-15 12:34:02 -05:00
scripts [BRE-1303] Providing method for pinning Chrome extension ID for dev (#17432) 2025-11-19 16:11:51 -05:00
spec PM-27820 (#17245) 2025-11-05 20:22:34 -05:00
src [PM-27821]Add validation of extension origin for uses of window.postMessage (#17476) 2025-11-25 13:42:46 -05:00
store Autosync the updated translations (#17145) 2025-10-31 17:49:04 +00:00
webpack [PM-22629] Forbid importing popup outside (#15168) 2025-06-13 08:54:49 -05:00
.gitignore Ps/pm 2910/browser header component (#6641) 2023-10-25 18:27:32 +00:00
CLAUDE.md [PM-26337] Create a Claude markdown file (#16676) 2025-10-03 16:48:01 +02:00
crowdin.yml Fix Crowdin Pull workflow (#2667) 2022-05-10 10:20:32 -04:00
jest.config.js Implement and extend tsconfig.base across projects (#14554) 2025-06-02 20:38:17 +00:00
package.json [BRE-1303] Providing method for pinning Chrome extension ID for dev (#17432) 2025-11-19 16:11:51 -05:00
postcss.config.js eslint: report unused disable directives (#13463) 2025-03-10 09:33:08 -04:00
project.json build(nx): fix serve browser (#16972) 2025-10-22 06:21:25 -04:00
README.md Fix some references to master (#14578) 2025-05-01 07:18:09 -07:00
tailwind.config.js [PM-23713] premium badge interaction (#16911) 2025-11-03 10:16:01 -06:00
test.setup.ts [deps] Platform: Update @types/chrome to v0.1.0 (#15697) 2025-09-26 17:02:39 +02:00
tsconfig.json [CL-761] Enable strict template typechecking (#17334) 2025-11-25 11:04:37 -05:00
tsconfig.spec.json [CL-525] Upgrade angular to v19 (#14815) 2025-06-02 13:13:31 -04:00
webpack.base.js [PM-25911] Add commercial sdk internal as dependency (#16883) 2025-10-27 15:17:20 +01:00
webpack.config.js refactor(nx): remove unneeded tsconfig.build.json & adjust nx docs (#16864) 2025-10-14 11:07:23 -04:00

Github Workflow build browser on main Crowdin Join the chat at https://gitter.im/bitwarden/Lobby

Bitwarden Browser Extension

The Bitwarden browser extension is written using the Web Extension API and Angular.

My Vault

Documentation

Please refer to the Browser section of the Contributing Documentation for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.