Bitwarden client apps (web, browser extension, desktop, and cli). bitwarden.com
Go to file
Daniel Riera 3de3bee08f
[PM-27821]Add validation of extension origin for uses of window.postMessage (#17476)
* PM-27821 - Replace chrome.runtime.getURL() with BrowserApi.getRuntimeURL() for consistency
- Add extension origin validation for all window.postMessage calls
- Implement token-based authentication for inline menu communications
- Add message source validation (event.source === globalThis.parent)
- Add command presence validation (- Update notification bar to validate message origins and commands
- Add extensionOrigin property to services using postMessage
- Generate session tokens for inline menu containers (32-char random)
- Validate tokens in message handlers to prevent unauthorized commands

* Add explicit token validation

* only set when receiving the trusted initNotificationBar message

* await windowmessageorigin before posting to parent

* fix tests

* the parent must include its origin in the message for notification bar race condition

* reduce if statements to one block and comment

* extract parentOrigin from the URL and set windoMessageOrigin accordingly

* consolidate if statements

* add bar.spec file

* fix merge conflict
2025-11-25 13:42:46 -05:00
.checkmarx Update SAST preset to query set (#8569) 2024-04-01 16:24:04 -04:00
.claude Refactor the review code prompt to precisely target our clients repo (#17329) 2025-11-12 17:05:13 +01:00
.codescene disable code duplication check in unit tests (#6773) 2023-11-06 15:48:34 -05:00
.github Add clap and async-trait as tool owned dependencies (#17579) 2025-11-21 16:53:44 +01:00
.husky Update husky hooks (#7738) 2024-01-30 06:50:54 -08:00
.storybook [CL-890] fix flakey tests (#17160) 2025-11-04 15:35:23 -05:00
.vscode [PM-19731] Refactor encrypt service to expose key wrapping (#14080) 2025-04-22 13:56:39 +00:00
apps [PM-27821]Add validation of extension origin for uses of window.postMessage (#17476) 2025-11-25 13:42:46 -05:00
bitwarden_license [PM-27564] Self-host configuration is not applied with nx build (#17279) 2025-11-24 16:36:23 +01:00
docs refactor(nx): remove unneeded tsconfig.build.json & adjust nx docs (#16864) 2025-10-14 11:07:23 -04:00
libs [CL-854] feat: add bit-header component to component library (#17662) 2025-11-25 13:13:07 -05:00
scripts [PM-25911] Add commercial sdk internal as dependency (#16883) 2025-10-27 15:17:20 +01:00
.browserslistrc [PM-6788][PM-7755] add babel/preset-env and browserslist (#9383) 2024-05-30 18:42:26 -04:00
.editorconfig Add support for migrated jslib (#2826) 2022-06-03 18:01:07 +02:00
.git-blame-ignore-revs add prettier formatting merge commit to .git-blame-ignore-revs (#7037) 2023-11-29 17:53:26 -05:00
.gitattributes Apply Prettier (#2238) 2021-12-21 15:43:35 +01:00
.gitignore Implement reusable Claude code review workflow (#16979) 2025-10-27 16:25:40 +01:00
.npmrc [PM-25911] Add commercial sdk internal as dependency (#16883) 2025-10-27 15:17:20 +01:00
.nvmrc [PM-22343] Bump non-cli to Node 22 (#15058) 2025-06-26 18:05:37 -04:00
.prettierignore [PM-5551] Removing Autofill v2 and AutofillOverlay Feature Flags (#7642) 2024-01-22 17:11:07 +00:00
.prettierrc.json Update CL documentation (#5379) 2023-05-08 14:46:59 +02:00
angular.json Add bit-web to angular.json (#14798) 2025-05-16 09:14:21 +02:00
babel.config.json [PM-6788] enable bugfixes in babel/preset-env (#9465) 2024-05-31 17:59:39 -04:00
clients.code-workspace [14415] Extend VS Code extensions. (#12604) 2025-01-07 15:46:03 -05:00
CONTRIBUTING.md Update README and CONTRIBUTING to point to contributing.bitwarden.com (#2771) 2022-06-13 17:34:07 +10:00
eslint.config.mjs Enable directive-class-suffix (#17385) 2025-11-24 18:03:16 +01:00
jest.config.js refactor(libs): consolidate messaging-internal into messaging library (#16386) 2025-09-12 13:04:13 +02:00
jest.preset.js feat(nx): add basic-lib generator for streamlined library creation (#14992) 2025-06-05 14:20:23 -04:00
LICENSE_BITWARDEN.txt Fix some references to master (#14578) 2025-05-01 07:18:09 -07:00
LICENSE_GPL.txt Prepare bitwarden_license directory (#2663) 2022-05-09 17:50:15 +02:00
LICENSE.txt Fix some references to master (#14578) 2025-05-01 07:18:09 -07:00
nx.json feat(nx): add basic-lib generator for streamlined library creation (#14992) 2025-06-05 14:20:23 -04:00
package-lock.json [PM-27530] Rename BitwardenClient to PasswordManagerClient (#17578) 2025-11-25 14:48:25 +01:00
package.json [PM-27530] Rename BitwardenClient to PasswordManagerClient (#17578) 2025-11-25 14:48:25 +01:00
README.md [PM-19046] Update README mobile references (#13990) 2025-03-26 12:49:53 +00:00
SECURITY.md Revise language on SECURITY.md 2022-03-15 15:39:14 -04:00
tailwind.config.js Billing/pm 23385 premium modal in web after registration (#16182) 2025-09-04 14:44:04 +00:00
tsconfig.base.json refactor(libs): consolidate messaging-internal into messaging library (#16386) 2025-09-12 13:04:13 +02:00
tsconfig.eslint.json fix(eslint): extend tsconfig.base in tsconfig.eslint (#15082) 2025-06-05 11:08:03 -04:00
tsconfig.json Implement and extend tsconfig.base across projects (#14554) 2025-06-02 20:38:17 +00:00

Bitwarden

GitHub Workflow browser build on main GitHub Workflow CLI build on main GitHub Workflow desktop build on main GitHub Workflow web build on main gitter chat


Bitwarden Client Applications

This repository houses all Bitwarden client applications except the mobile applications (iOS | android).

Please refer to the Clients section of the Contributing Documentation for build instructions, recommended tooling, code style tips, and lots of other great information to get you started.

We're Hiring!

Interested in contributing in a big way? Consider joining our team! We're hiring for many positions. Please take a look at our Careers page to see what opportunities are currently open as well as what it's like to work at Bitwarden.

Contribute

Code contributions are welcome! Please commit any pull requests against the main branch. Learn more about how to contribute by reading the Contributing Guidelines. Check out the Contributing Documentation for how to get started with your first contribution.

Security audits and feedback are welcome. Please open an issue or email us privately if the report is sensitive in nature. You can read our security policy in the SECURITY.md file.