mirror of
https://github.com/bitwarden/android.git
synced 2026-05-06 07:48:22 -05:00
[GH-ISSUE #578] URI Match Detection 'Starts with' doesn't work in Chrome on Android #13437
Closed
opened 2026-04-14 23:03:37 -05:00 by GiteaMirror
·
42 comments
No Branch/Tag Specified
main
sdlc/sdk-update
new-item-types/PM-32810_bank-account-view
new-item-types/PM-32810_bank-account
beta-for-qa
BWA-253/not-displaying-totp-coded-with-empty-key
target-sdk-37
vvolkgang/renovate-remove-group
pm-34038/card-scanner-qa-fixes
PM-33982/build-device-screen
PM-30625/filter-out-empty-totp-vault-count
vvolkgang/update-jira-release-notes
new-item-types/PM-34123_new-item-menu
new-item-types/PM-32806_passport
new-item-types/PM-32808_drivers-license
BWA-99/show-next-totp
BWA-99/add-preview-next-totp-code-setting
renovate/glidecompose
chore/improve-android-ui-verification-skill
sync-min-sdk
release/2026.4-rc51
fix/security-sast-22741894-bvwj
related-origin-passkey-creation
release/2026.4-rc50
platform/android-breaking-change-detection
innovation-sprint-2026-send-folder
release/2026.3-rc49
PM-34193-vault-lockout
android-collections
llm/add-resolving-sdk-updates-skill
QA-1523/sanity-test-saucelabs
release/2026.3-rc48
PM-26577-app-links-support
PM-26896-autofill-fix
release/2026.2-rc47
pr-6572
release/2026.2-rc46
release/2026.1-rc45
PM-30644/added-logs-for-debug
PM-30644/quicktile-nav-not-showing-migration
minor-gradle-updates
release/2026.1-rc42
release/2026.1-rc44
release/2026.1-rc43
PM-28834/set-landscape-on-horizonos-devices
PM-28468/validate-and-navigate-to-vault-migration
PM-20026/force-ltr-passwords-and-codes
release/2025.12-rc41
cmcg/testCoverage
PM-29014/talkback-support-for-passwords
release/2025.12-rc40
BRE-1305/publish_test
accept-user-certs
autofill-permissions
release/2025.11-rc39
PM-22479/check-all-certificates-validate-asset-links
release/2025.10-rc38
agalles/android-latest
retro-agent
PM-27001/skip-account-selection-only-one-exists-cxp
release/2025.10-rc37
agalles/test-1118
release/2025.10-rc36
PM-20593-token-refresh
QA-1126b/adding-native-sanity-test
release/2025.9-rc35
pm-25933/sdk-update-password
release/2025.9-rc34
release/2025.8-rc33
agalles/20250821-release
debug-release-issues
pm-24249-allow-automated-prs-for-sdk-updates
release/2025.8-rc32
release/WORKFLOW-TEST-2025.8-rc28
agalles/20250807release
release/2025.07-rc25
release/hotfix-v2025.7.0-bwa
pm-23311/export-vault-policy-bypass
release/2025.07-rc24
authenticator-pm-sync-flags-issue
release/hotfix-v2025.6.0-bwpm
release/2025.06-rc21
agalles/automate-android-fastlane-patch
release/2025.05-rc20
release/2025.04-rc19
languages/basque
release/2025.03-rc19
update-readme
qrcode/feature
innovation/archive/pm-19153-archive-items
qrcode/2-ui-fields
qrcode/1-page
hold-on-biometric-prompt-alternative
release-notes-process
release/2025.02-rc16
bwa-monorepo
PM-8223/new-device-verification-ux-improvements
pm-18451/exempt-from-policies
test-bwa
release/2025.01-rc15
release/2025.01-rc14
release/2024.12-rc13
pm-16670/sync-leave-notice
821
PM-16695/backport-lean-more-new-device-verification
release/hotfix-v2024.11.7
release/2024.11-rc1
pm-11304/collection-add-item-button
PM-14241/disabling-logs-app-crash
poc/offline-editing
new-version-calc
pm-11649/expired-link-services
pm-6702/add-feature-flag
pm-6702/email-verification-feature
pm-9933/marketing-copy-update
pm-6702/registration-flows
update-templates
pm-6701/email-verification-selfhost-registration
v2026.4.0-bwa
v2026.4.0-bwpm
v2026.3.1-bwa
v2026.3.1-bwpm
v2026.3.0-bwpm
v2026.3.0-bwa
v2026.2.1-bwpm
v2026.2.1-bwa
v2026.2.0-bwpm
v2026.2.0-bwa
v2026.1.1-bwa
v2026.1.1-bwpm
temp-test
v2026.1.0-bwpm
v2026.1.0-bwa
v2025.12.1-bwa
v2025.12.1-bwpm
v2025.12.0-bwa
v2025.12.0-bwpm
v2025.11.1-bwpm
v2025.11.1-bwa
v2025.11.0-bwpm
v2025.11.0-bwa
v2025.10.1-bwa
v2025.10.1-bwpm
v2025.10.0-bwa
v2025.10.0-bwpm
v2025.9.1-bwa
v2025.9.1-bwpm
v2025.9.0-bwa
v2025.9.0-bwpm
v2025.8.1-bwa
v2025.8.1-bwpm
v2025.8.0-bwa
v2025.8.0-bwpm
v2025.7.2-bwa
v2025.7.2-bwpm
v2025.7.1-bwa
v2025.7.1-bwpm
v2025.7.0-bwa
v2025.7.0-bwpm
v2025.6.1-bwpm
v2025.6.0-bwa
v2025.6.0-bwpm
v2025.1.0-bwa
v2025.5.0-bwa
v2025.5.0-bwpm
v2025.5.999
2025.4.0
v2025.4.0
untagged-4731eaadac73f3dfbbb8
v2025.3.0
v2025.2.0
untagged-815a165c5d70ffe75bc7
v2025.1.2
v2025.1.1
v2025.1.0
v2024.12.0
untagged-5a76b6392a4c8998c63a
v2024.11.7
v2024.11.6
v2024.11.5
v2024.11.4
v2024.11.3
v2024.11.2
v2024.11.1
v2024.11.0
v2024.10.2
v2024.10.1
v2024.10.0
v2024.9.0
v2024.8.1
v2024.8.0
v2024.7.3
v2024.7.2
v2024.7.1
v2024.7.0
v2024.6.1
v2024.6.0
v2024.5.1
v2024.4.1
v2024.4.2
v2024.4.0
v2024.3.3
v2024.3.1
v2024.3.0
v2024.2.1
v2024.2.0
v2024.1.1
v2024.1.0
v2023.12.0
v2023.10.0
v2023.9.2
maui-single-project-android
v2023.9.1
v2023.9.0
v2023.8.0
v2023.7.0
v2023.5.0
v2023.4.0
v2023.3.2
v2023.3.1
v2023.3.0
v2023.2.0
v2023.1.0
v2022.11.0
v2022.10.0
v2022.9.1
v2022.9.0
v2022.8.0
v2022.6.2
v2022.6.1
v2022.6.0
v2022.05.0
v2.18.0
v2.17.0
v2.16.4
v2.16.3
v2.16.2
v2.16.1
v2.15.0
v2.14.2
v2.14.1
v2.14.0
v2.13.0
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.0
v2.9.1
v2.9.0
v2.8.2
v2.8.1
v2.8.0
v2.7.2
v2.7.0
v2.6.1
v2.6.0
v2.5.6
v.2.5.5
v2.5.5
v2.5.4
v2.5.3
v2.5.2
v2.5.1
v2.5.0
v2.4.3
v2.4.2
v2.4.1
v2.4.0
v2.3.1
v2.3.0
v2.2.8
v2.2.7
v2.2.6
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.0
v2.0.6
v2.0.5
v2.0.4
v2.0.3
v2.0.2
v2.0.1
v2.0.0
v1.22.1
v1.22.0
v1.21.0
v1.20.0
v1.19.0
v1.18.1
v1.18.0
v1.17.0
v1.16.0
v1.15.2
v1.15.1
v1.15.0
v1.14.4
v1.14.1
v1.14.0
v1.13.0
v1.12.2
v1.12.1
v1.12.0
v1.11.1
v1.11.0
v1.10.0
v1.9.0
v1.8.1
v1.8.0
v1.7.0
v1.6.5
v1.6.1
v1.6.0
v1.5.1
v1.5.0
v1.4.4
v1.4.3
v1.4.0
v1.3.0
v1.2.1
v1.2.0
v1.1.0
v1.0.0
v0.0.6
v0.0.5
v0.0.4
v0.0.3
v0.0.2
v0.0.1
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: github-starred/android#13437
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @ghost on GitHub (Aug 12, 2019).
Original GitHub issue: https://github.com/bitwarden/android/issues/578
URI Match Detection doesn't work when using 'Starts with' in Chrome on Android.
For example, using the following URI:
https://mail.example.com/adminThe above URI format works just fine in Firefox on Android when using 'Starts with' as the URI Match Detection rule, but no results are returned when using Chrome on Android.
This was an issue in the old mobile version as well, I just never got around to reporting it.
Works fine in Chrome on Windows.
@kspearrin commented on GitHub (Aug 14, 2019):
It is working on Android by my tests, but isn't obvious because of how URLs are parsed on Android. Often times (depending on the browser and which autofill service you are using), I don't know the true URL of the page you are viewing. For example, I may only know the domain "amazon.com" or some other shorted version of the true URL that is displayed in the address bar of the browser app. Because of this, your existing URI detection rules may not work on android or you may need to add additional rules to accommodate.
@ghost commented on GitHub (Aug 14, 2019):
I'm using a personal domain name, with a subdomain and directory path.
When attempting to use the accessibility service to autofill my login credentials, I get the following message in Bitwarden:
There are no items in your vault for example.com.
I receive this message despite being on
https://mail.example.com/adminand a properly formatted 'Starts with' match detection on the entry.I do plan to switch to Firefox, and I can confirm everything works there. It also works properly in Chrome on Windows. The only place this match detection fails seems to be while using Bitwarden in Chrome on Android.
EDIT: There is a hyphen in the base domain name. I am unsure if this may be apart of the problem or not but might be worth mentioning.
@kspearrin commented on GitHub (Aug 14, 2019):
As previously mentioned, chrome doesn't show the whole URL in the address bar, so Bitwarden isn't able to match a starts with "https://mail.example.com/admin".
@ghost commented on GitHub (Aug 14, 2019):
Ah okay, thank you!
@quthla commented on GitHub (Oct 7, 2019):
Are you referring to the visible address bar in the browser window at the top?
@kspearrin commented on GitHub (Oct 7, 2019):
Yes
@jikamens commented on GitHub (Jan 12, 2020):
If Chrome on Android doesn't make the whole URL available to Bitwarden to match against, then shouldn't Bitwarden adjust how it does the matching so that vault entries which would match of the whole URL were available store up in the list of entries available for autofill?
@quthla commented on GitHub (Feb 4, 2020):
@kspearrin is there any fix for this planned maybe?
@ghost commented on GitHub (Feb 4, 2020):
I really hope there is a work around. It's annoying trying to fill these entries on mobile.
It seems like the answer to most bugs in Bitwarden is switch to Firefox. :( I just like my Chromium based browsers.
@quthla commented on GitHub (Feb 4, 2020):
Yeah it's really annoying when you have multiple apps in different subfolders and need "starts with" matching
@ghost commented on GitHub (Feb 4, 2020):
I use Starts with when reverse proxying a lot of apps on the same subdomain. Otherwise there ends up being a lot of autofill clutter by just matching against the hostname.
Logging into these apps on mobile is always a pain. I have to hit search every time and start typing in the app I want to fill.
Edit: Sometimes the first fill doesn't actually work, so I end up having to do the search process a second time. 🙁
@BeecherNetworks commented on GitHub (Mar 10, 2020):
This problem occurs in Firefox too.
@rg9400 commented on GitHub (Apr 20, 2020):
I'm still having this issue on beta build 2279. It's fairly cumbersome if you are reverse proxying across multiple subfolders/subdomains where the "Starts With" match detection is the most relevant option.
@ghost commented on GitHub (Apr 20, 2020):
Is there a chance this can be addressed in the near future? This is the only thing left that drives me absolutely insane on a daily basis.
@BeecherNetworks commented on GitHub (Apr 20, 2020):
Ditto. I run a ton of services on subdomains set to match on Host, and they never match in Firefox, I have to search each time, and autofill from search is very hit and miss.
@jffernandez commented on GitHub (Apr 21, 2020):
Pay attention to the next release, please, verify if that works for you too. https://github.com/bitwarden/mobile/issues/432#issuecomment-612528533
After the fix in my PR https://github.com/bitwarden/mobile/pull/830 if no results in the list, you should switch to default match on settings, but if full URL is available, the filter will be applied.
@Stephan-P commented on GitHub (Apr 30, 2020):
I'd like to chime in here, as I've been experiencing the same issue with Vivaldi and Edge browsers as well.
Today's beta version 2.3.1 (2376) resolves the issue "items for --", but unfortunately does not provide a solution for this issue with the "Starts with" url matching option. If I set the matching option to "Starts with" no items are found in the database. They are properly found when using options "Base domain" or "Host name".
@quthla commented on GitHub (Apr 30, 2020):
As a workaround, you can either set a regex match which optionally matches the scheme or just another starts with match without the scheme prepended.
That's probably your best bet as I've reported this issue more than a year ago but nothing happened since then.
@jffernandez commented on GitHub (Apr 30, 2020):
I think it's working now, as nice as it can work on Android, because the APP can not get the full URL from the page in your navigator, only the protocol and server, that is, for example: https://github.com even it will get the host if present as https://www.github.com
So, if you try to login, for example at Github, your full URL will be: https://github.com/login?return_to=... and maybe that is what you have on your database (or maybe https://github.com/login)
Finally, when Bitwarden check if your current URL (https://github.com/ for Bitwarden, because of the stated above) "startsWith" https://github.com/login (or whatever you have in your database) it's a False, so will be not found. It will work if you store your github login with URI: https://github.com
In a computer, Bitwarden will get the full URL of the page on your browser, so it works.
You can try "Host" as your match method, it works great for me!
@quthla commented on GitHub (Apr 30, 2020):
I think it's the other way around. In Chrome on Android there's no scheme in the url and if you've got a vault item with starts with https://github.com but the url Bitwarden reads from Chrome is github.com, it will not match this.
@jffernandez commented on GitHub (Apr 30, 2020):
Try to shorten the URI you have saved in your database, delete all after the domain, that worked for me.
And on the debugger I got the scheme from Android emulator (maibe it depends on the service too, I'm using Auto-Fill, not Accesibility one)
Anyway, Host match is now working, and that will solve your problem, give it a try!
@ghost commented on GitHub (Apr 30, 2020):
Using host as a match method isn't ideal when you reverse proxy multiple applications on your domain.
For example:
My use case really needs
Starts withdetection to work.At this point I am considering multiple subdomains as a work around.
@quthla commented on GitHub (Apr 30, 2020):
It seems you don't understand the actual issue. It is not about what's after the domain but rather what's before. Check the address bar in Chrome. There's no url scheme to be matched. And yes, it might work with autofill instead of accessibility, but autofill is hopelessly broken in Chrome and will just randomly stop working, so I've got that turned off.
EDIT: I've just tested it with only autofill enabled and accessbility disabled. It won't work there either with starts with match detection on newest beta. Even worse, autofill seems to be cutting off the whole path of the url.
You can use my workaround
@ghost commented on GitHub (Apr 30, 2020):
@quthla I'll take a look at the work around you mentioned above later today. Thanks for the tip!
Edit: I was unable to get a match using regex and a second
Starts withentry without the scheme.Regex:
^https:\/\/media.example.com\/sonarr\/*Starts with (no scheme):
media.example.com/sonarr/At this point the only workaround I see is to use multiple subdomains and match via hostname.
I would really like it if
Starts withcould be made to work on mobile.@ghost commented on GitHub (May 1, 2020):
Are there any possible workarounds to make
Starts withfunctionality work on Chrome?@rg9400 commented on GitHub (May 1, 2020):
Yeah, I tried just doing Starts With on
domain.com/mypagewith no luck either. This functionality seems to be completely broken on Android, and I have to use a different matching scheme to make it work (which is not ideal at all).@quthla commented on GitHub (May 1, 2020):
You must turn off autofill service and only use the accessibility service.
^(https?://)?domain.com/path/
This is the regex I'm using with different paths on the same domain.
@ghost commented on GitHub (May 1, 2020):
Your regex expression works, as long as the autofill service is disabled like you said. :)
Thanks for the workaround. Still hoping for an official fix.
@ghost commented on GitHub (May 3, 2020):
As it turns out, disabling the autofill framework and using a regex expression doesn't work for me, simply because I require the use of the autofill framework to get an autofill option when using HTTP Basic Auth.
In a nutshell, you don't automatically get an autofill prompt for HTTP Basic Auth prompts. However, you can tap and hold on the username / password input and then tap
...and there will be anAutofilloption. This is essential as I have a few non-public web services secured by HTTP Basic Auth and use randomized passwords. To autofill using this method, it's required to have the autofill framework enabled.In the case of having the autofill framework disabled (So regex expressions work), switching to the Bitwarden app and back to fill in this rare case isn't reasonable, because it results in the prompt going away and the page returning
401 Authorization Required. Normally not a big deal either, but the username is randomized too. i.e. netdata-{randomnumbers}. Which means I need to copy the username and password since the username isn't as memorable.Ultimately there should be an official workaround within the Bitwarden codebase to make the functionality work on browsers that do not show the full URL in the address bar. I'm not even sure if it's possible, but a man can only hope.
Bitwarden is near perfect in every way for me as of late, especially now that the accessibility service uses the overlay that the autofill framework uses. Just a few more edge cases to polish up for those of us that are in the tech crowd.
@rg9400 commented on GitHub (May 5, 2020):
Unfortunately, the workaround does not work for me either. This is a fairly big bug on the mobile app for Bitwarden, and hopefully it can be fixed soon.
@BeecherNetworks commented on GitHub (May 5, 2020):
I think I've mentioned previously but my problem is more general and I think others in the thread are experiencing the same thing: Nothing with a subdomain is found, no matter what the settings. For developers and hosts working on dozens of sites and servers, it's an absolute pain.
@quthla commented on GitHub (May 5, 2020):
@BeecherNetworks try with only accessibility service turned on and make sure you then get the accessibility popup and not the autofill one. They look slightly different.
@BeecherNetworks commented on GitHub (May 7, 2020):
With Accessibility it only works some of the time. When it does, Bitwarden does find the correct item, but only when I click through, it isn't available from the popup.
I've found triggering pretty wonky lately sometimes too, sometimes it works when I click the username field, sometimes only the password field, and sometimes not at all.
The new fashion for two-stage logins is causing problems too. I don't really get the fascination for this. A username and password are a username and password, why put it on two bloody pages!?
@rg9400 commented on GitHub (Jun 17, 2020):
Any updates on this? I've been finding the mobile app fairly frustrating to use because of this bug since it seems most of the sites I am populating passwords on mobile tend to be these subfolders that refuse to match using the "Starts With" detection method.
@quthla commented on GitHub (Dec 16, 2020):
@fmeum as you're pretty knowledgeable in regards to autofill: is it correct that the native autofill API in Android does not provide the url path to the autofill service?
@fmeum commented on GitHub (Dec 16, 2020):
Yes, that is correct. The content of the URL bar goes through setWebDomain, which extracts only the scheme and the host. This makes sense as it prevents accidentally leaking secrets contained in the URL and all security guarantees offered by the web platform only apply to origins (scheme + host + port) anyway.
@MexHigh commented on GitHub (Mar 12, 2022):
Just to add something that might be useful to fix this:
It seems like the "starts with" matching with the URL from the browser starts here:
2e8824ce05/src/Core/Services/CipherService.cs (L409-L415)-->
url.startsWith(u.Uri)ubeing the "match URL" object here (u.Uriis the string like "example.org/whatever" andu.Matchis the explicit matching method set for this URL or the default matching method).urlbeing passed to the function in this function:2e8824ce05/src/Android/Autofill/AutofillHelpers.cs (L146)... which is, in turn, called here with a new instance of the
Parserclass which contains the URL which is later checked againstu.Uri.2e8824ce05/src/Android/Autofill/AutofillService.cs (L73)The value of
parser.Uriis calculated here:2e8824ce05/src/Android/Autofill/Parser.cs (L32-L55)... with
Websitebeing composed like:2e8824ce05/src/Android/Autofill/Parser.cs (L155)Conclusion
So yes, the URL that gets matched with the specified URL(s) in the password records only contains the scheme and domain. Appending the path to the
Websitevariable would probably solve the problem.Sadly, I'm not able to resolve this myself, as my C# is not that good (just about good enough to understand what happens here). But maybe this is useful for someone capable of fixing this.
@pabohoney1 commented on GitHub (Jul 17, 2023):
Adding a comment to bump this up, this seems like a silly bug to have and also seems like it should be a quick fix.
@DawidPietrykowski commented on GitHub (Dec 24, 2023):
I looked for this issue since I was having problems with Bitwarden autofilling passwords to my selfhosted services which have domains like:
service1.domain.com
service2.domain.com
After reading @MexHigh 's findings I tried to implement appending the path to the domain, but unfortunately I think it may not be possible.
Bitwarden relies on Android API to provide the AutoFillService with information about the app, which in case of a browser is WebSchema and WebDomain.
Citing the documentation from the API docs, WebDomain doesn't contain path:
It seems like there's no way to get the path.
I did find a solution to my problem though and in case anyone faced similar issues I will include it here.
My Bitwarden entries had the url match options set to "Starts with" (which seemed to make sense at that time) and had URLs like: https://service1.domain.com/. Because of that "/" at the end the android app wasn't able to match it since it's part of the path not the domain.
The workaround on the user side is to remove that slash at the end or change matching type to "Host".
I do think however that Bitwarden should match that URL since "/" is essentially the same as "" in terms of website's path. We could then append "/" to the Website @MexHigh mentioned and the problem would be fixed.
I believe it to be a good workaround that doesn't compromise security and increases usability, but I'd love to hear other people's opinions on the matter.
@Neurology0443 commented on GitHub (May 28, 2024):
Somehow the same issue on Android 13 with Firefox beta 125.0b9. My own self-signed domains on mobile with 'start with' don't work as expected (On Linux, MacOS, Windows everything works as expected).
@DawidPietrykowski workaround (thanks by the way !!!) works but some urls need more than that
e.g.: https://pihole.myown.domain/admin/login.php needs to be shorted to https://pihole.myown.domain in the URI part with 'start with'.
Also I found out that when I add the URI first with my phone to bitwarden, it works correctly on all devices.
@vvolkgang commented on GitHub (Jun 20, 2024):
Issue migrated to https://github.com/bitwarden/mobile/issues/578
@don-dolarson commented on GitHub (Oct 15, 2024):
Bump. It's also a problem for regular expression on Bitwarden on Android, both the old stable and beta. Is this anything you look at or never gonna be fixed? Everything after the slash / doesn't work. The same for 'start with' rule.
^(http|https)://example.* works ^(http|https)://example.*/ and anything after the slash not.
No problem for Firefox based forks running Linux or Windows.