github-starred/android
2
0
Fork 0
mirror of https://github.com/bitwarden/android.git synced 2026-03-09 03:33:36 -05:00
Code Issues 144 Packages Projects Releases 116 Wiki Activity

[PR #2402] [CLOSED] Add option to match URI by Origin #3544

New Issue
Closed
opened 2025-11-26 23:34:12 -06:00 by GiteaMirror · 0 comments
GiteaMirror commented 2025-11-26 23:34:12 -06:00
Owner
Copy Link

📋 Pull Request Information

Original PR: https://github.com/bitwarden/android/pull/2402
Author: @0xedward
Created: 3/6/2023
Status: Closed

Base: mainHead: master

📝 Commits (10+)

  • 48a8d9a Clipboard handling adjustments for Android 13 (#1947)
  • 388ad4e lib updates (#1949)
  • 51a5f58 Fixed vault filter display issue with personal ownership policy (#1950)
  • 5579817 Updating the release version check to use the new action (#1934)
  • f9cbe43 [PIQ-3] Add Github Actions to help manage issues and PRs (#1948)
  • e51233b Update README and CONTRIBUTING to use contributing.bitwarden.com (#1932)
  • 448758a Additional logic around filter display (#1951)
  • c53a85c [SG-390] Fix for missing org items with single org & personal ownership enabled (#1953)
  • 3aef86b [SG-386] iOS Update user state when coming from background (#1952)
  • f24388c separate init and showVaultFilter property set (#1954)

📊 Changes

7 files changed (+43 additions, -2 deletions)

View changed files

📝 src/App/Pages/Settings/OptionsPageViewModel.cs (+1 -0)
📝 src/App/Pages/Vault/CipherAddEditPageViewModel.cs (+1 -0)
📝 src/App/Resources/AppResources.Designer.cs (+10 -1)
📝 src/App/Resources/AppResources.resx (+4 -0)
📝 src/Core/Enums/UriMatchType.cs (+2 -1)
📝 src/Core/Services/CipherService.cs (+8 -0)
📝 src/Core/Utilities/CoreHelpers.cs (+17 -0)

📄 Description

Type of change

  • Bug fix
  • New feature development
  • Tech debt (refactoring, code cleanup, dependency upgrades, etc)
  • Build/deploy pipeline (DevOps)
  • Other

Objective

The fundamental boundary of web security is the Same Origin Policy (SOP), of which many additional security standards of the web platform are built on top of. For users familiar with SOP, being able to match vault URIs by origins makes it easier for them to reason about the security of a page they are attempting to autofill using vault login. However, users currently cannot restrict autofilling vault logins by matching the origin of the site they want to autofill a login with the origin of the URI saved to vault login they intend to autofill.

The current match detection options have security or usability flaws for achieving the same functionality as match by Origin:

  • Base domain match detection will exclude checking if the scheme and SLD of URIs match, which opens up the opportunity to fall for autofilling a login into a subdomain taken over by an attacker.

  • Host match detection excludes the scheme of a URI, which may result in (1) the unlikely chance of falling for an HTTPS downgrade attack and autofilling, or (2) matching to any scheme in CanLaunchWhitelist

  • Exact match detection will match the path of a URI. When saving a new vault login, Bitwarden takes the current URL on the page, strips the query parameters and saves that as the URI for the vault item. To replicate the functionality of match detection by origin, the user will often need to manually delete the path of URIs autosaved when creating a new vault login.

  • Starts with suffers from the same problem as Exact, because of what Bitwarden does when saving a new vault item, except it's slightly more permissive as URIs with additional paths appended will autofill.

  • Regex would allow for users to achieve the same functionality as match by origin, but it would (1) require writing a regex without making any mistakes, (2) would make matching by origin inaccessible for people not familiar with regex, and (3) require the user to copy over the regex pattern to each of their existing clients or new clients they use.

Additional info

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/bitwarden/android/pull/2402 **Author:** [@0xedward](https://github.com/0xedward) **Created:** 3/6/2023 **Status:** ❌ Closed **Base:** `main` ← **Head:** `master` --- ### 📝 Commits (10+) - [`48a8d9a`](https://github.com/bitwarden/android/commit/48a8d9ae35726a08c05adf99e8cc9ad63772d620) Clipboard handling adjustments for Android 13 (#1947) - [`388ad4e`](https://github.com/bitwarden/android/commit/388ad4e840b2c7bebc351d17b83266e6566304b9) lib updates (#1949) - [`51a5f58`](https://github.com/bitwarden/android/commit/51a5f5825863e9cbbd010bc9a7249e43ddcc5f1b) Fixed vault filter display issue with personal ownership policy (#1950) - [`5579817`](https://github.com/bitwarden/android/commit/5579817f9f5661e63fe52b8e18c47319a2714fa7) Updating the release version check to use the new action (#1934) - [`f9cbe43`](https://github.com/bitwarden/android/commit/f9cbe43627ed5586facfb3e515f9c44ecd34fd30) [PIQ-3] Add Github Actions to help manage issues and PRs (#1948) - [`e51233b`](https://github.com/bitwarden/android/commit/e51233bf9b4bfccf0f9469126a230df62c1db27d) Update README and CONTRIBUTING to use contributing.bitwarden.com (#1932) - [`448758a`](https://github.com/bitwarden/android/commit/448758a697b3287bef3a84cdde14d4f934ded250) Additional logic around filter display (#1951) - [`c53a85c`](https://github.com/bitwarden/android/commit/c53a85cd505465b72e92bbe6a19eed465daccf2f) [SG-390] Fix for missing org items with single org & personal ownership enabled (#1953) - [`3aef86b`](https://github.com/bitwarden/android/commit/3aef86bd3402f21d2f14249dfa04f5f5e3a8e04a) [SG-386] iOS Update user state when coming from background (#1952) - [`f24388c`](https://github.com/bitwarden/android/commit/f24388c1b5f81cb85193aec1450934028a6d7203) separate init and showVaultFilter property set (#1954) ### 📊 Changes **7 files changed** (+43 additions, -2 deletions) <details> <summary>View changed files</summary> 📝 `src/App/Pages/Settings/OptionsPageViewModel.cs` (+1 -0) 📝 `src/App/Pages/Vault/CipherAddEditPageViewModel.cs` (+1 -0) 📝 `src/App/Resources/AppResources.Designer.cs` (+10 -1) 📝 `src/App/Resources/AppResources.resx` (+4 -0) 📝 `src/Core/Enums/UriMatchType.cs` (+2 -1) 📝 `src/Core/Services/CipherService.cs` (+8 -0) 📝 `src/Core/Utilities/CoreHelpers.cs` (+17 -0) </details> ### 📄 Description ## Type of change - [ ] Bug fix - [x] New feature development - [ ] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ## Objective The fundamental boundary of web security is the [Same Origin Policy (SOP)](https://developer.mozilla.org/en-US/docs/Glossary/Same-origin_policy), of which many additional security standards of the web platform are built on top of. For users familiar with SOP, being able to match vault URIs by origins makes it easier for them to reason about the security of a page they are attempting to autofill using vault login. However, users currently cannot restrict autofilling vault logins by matching the origin of the site they want to autofill a login with the origin of the URI saved to vault login they intend to autofill. The current match detection options have security or usability flaws for achieving the same functionality as match by [Origin](https://developer.mozilla.org/en-US/docs/Glossary/Origin): - `Base domain` match detection will exclude checking if the scheme and SLD of URIs match, which opens up the opportunity to fall for autofilling a login into a subdomain taken over by an attacker. - `Host` match detection excludes the scheme of a URI, which may result in (1) the unlikely chance of falling for an HTTPS downgrade attack and autofilling, or (2) matching to any scheme in `CanLaunchWhitelist` - `Exact` match detection will match the path of a URI. When saving a new vault login, Bitwarden takes the current URL on the page, strips the query parameters and saves that as the URI for the vault item. To replicate the functionality of match detection by origin, the user will often need to manually delete the path of URIs autosaved when creating a new vault login. - `Starts with` suffers from the same problem as `Exact`, because of what Bitwarden does when saving a new vault item, except it's slightly more permissive as URIs with additional paths appended will autofill. - `Regex` would allow for users to achieve the same functionality as match by origin, but it would (1) require writing a regex without making any mistakes, (2) would make matching by origin inaccessible for people not familiar with regex, and (3) require the user to copy over the regex pattern to each of their existing clients or new clients they use. ## Additional info - [Other clients' implementation of this change](https://github.com/bitwarden/clients/pull/4937) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2025-11-26 23:34:12 -06:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
app:authenticator
app:password-manager
bug
bug-passkey
customer-support
duplicate
enhancement
good first issue
help wanted
needs-reply
needs-response
pull-request
Mirrored from GitHub Pull Request
 question
No Label pull-request
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/android#3544
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?