* Implement automatic kdf upgrades
* Fix kdf config not being updated
* Update legacy kdf state on master password unlock sync
* Fix cli build
* Fix
* Deduplicate prompts
* Fix dismiss time
* Fix default kdf setting
* Fix build
* Undo changes
* Fix test
* Fix prettier
* Fix test
* Update libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts
Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
* Update libs/common/src/key-management/master-password/abstractions/master-password.service.abstraction.ts
Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
* Update libs/angular/src/key-management/encrypted-migration/encrypted-migrations-scheduler.service.ts
Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
* Only sync when there is at least one migration
* Relative imports
* Add tech debt comment
* Resolve inconsistent prefix
* Clean up
* Update docs
* Use default PBKDF2 iteratinos instead of custom threshold
* Undo type check
* Fix build
* Add comment
* Cleanup
* Cleanup
* Address component feedback
* Use isnullorwhitespace
* Fix tests
* Allow migration only on vault
* Fix tests
* Run prettier
* Fix tests
* Prevent await race condition
* Fix min and default values in kdf migration
* Run sync only when a migration was run
* Update libs/common/src/key-management/encrypted-migrator/default-encrypted-migrator.ts
Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
* Fix link not being blue
* Fix later button on browser
---------
Co-authored-by: Maciej Zieniuk <167752252+mzieniukbw@users.noreply.github.com>
* add values to TotpFieldNames constant
* add totp field check to username field qualification
* handle checking empty string cases
* update tests
* require stored username for new cipher notification prompt
* drop ambiguous token keyword from authoritative TOTP field names constant
* adjust shouldAttemptNotification logic for add and change cases
* Fix stale data issue in new login popout
* Update the comments
* Address critical claude code bot suggestions
* Clean out all stale data from pop up
* Fix cached cipher issue
* Fix caching issue between tab and overlay flow
* Address claude comments
* cleanup
* prevent inline menu from opening on the page outside of the viewport
* update inline menu viewport check to include checks on all sides of the viewport
* use VisualViewport when available
* update tests
* add handler for new policy sync push notification
* fix story book build failure
* move logic into policy service, fix tests
* add account service
* add missing service to clie
* PM-27821 - Replace chrome.runtime.getURL() with BrowserApi.getRuntimeURL() for consistency
- Add extension origin validation for all window.postMessage calls
- Implement token-based authentication for inline menu communications
- Add message source validation (event.source === globalThis.parent)
- Add command presence validation (- Update notification bar to validate message origins and commands
- Add extensionOrigin property to services using postMessage
- Generate session tokens for inline menu containers (32-char random)
- Validate tokens in message handlers to prevent unauthorized commands
* Add explicit token validation
* only set when receiving the trusted initNotificationBar message
* await windowmessageorigin before posting to parent
* fix tests
* the parent must include its origin in the message for notification bar race condition
* reduce if statements to one block and comment
* extract parentOrigin from the URL and set windoMessageOrigin accordingly
* consolidate if statements
* add bar.spec file
* fix merge conflict
* add archive upgrade flow to more options menu
* add reprompt for archiving a cipher
* add premium badge for archive in settings
* update showArchive to only look at the feature flag
* add premium badge for browser settings
* add event to prompt for premium
* formatting
* update test
* feat(user-decryption-options) [PM-26413]: Update UserDecryptionOptionsService and tests to use UserId-only APIs.
* feat(user-decryption-options) [PM-26413]: Update InternalUserDecryptionOptionsService call sites to use UserId-only API.
* feat(user-decryption-options) [PM-26413] Update userDecryptionOptions$ call sites to use the UserId-only API.
* feat(user-decryption-options) [PM-26413]: Update additional call sites.
* feat(user-decryption-options) [PM-26413]: Update dependencies and an additional call site.
* feat(user-verification-service) [PM-26413]: Replace where allowed by unrestricted imports invocation of UserVerificationService.hasMasterPassword (deprecated) with UserDecryptionOptions.hasMasterPasswordById$. Additional work to complete as tech debt tracked in PM-27009.
* feat(user-decryption-options) [PM-26413]: Update for non-null strict adherence.
* feat(user-decryption-options) [PM-26413]: Update type safety and defensive returns.
* chore(user-decryption-options) [PM-26413]: Comment cleanup.
* feat(user-decryption-options) [PM-26413]: Update tests.
* feat(user-decryption-options) [PM-26413]: Standardize null-checking on active account id for new API consumption.
* feat(vault-timeout-settings-service) [PM-26413]: Add test cases to illustrate null active account from AccountService.
* fix(fido2-user-verification-service-spec) [PM-26413]: Update test harness to use FakeAccountService.
* fix(downstream-components) [PM-26413]: Prefer use of the getUserId operator in all authenticated contexts for user id provided to UserDecryptionOptionsService.
---------
Co-authored-by: bnagawiecki <107435978+bnagawiecki@users.noreply.github.com>
* PM-28516 alidate iframe and stylesheet URLs against their own origins to handle
cases where chrome assigns different extension ids in different contexts
* switch to regex to match exisiting match pattern
* updated regex to account for safari
* Correctly fill generated passwords and current password on plex.tv
* Correctly fill generated passwords and current password on plex.tv
* Leave existing forEach
* Add tests for changes
* turn off inline experience if host page aggressively competes for top of top-layer
* add alert message for top-layer hijack scenarios
* widen the backoff threshold
* refactor backoff logic to include popover attribute mutations
* improve getPageIsOpaque check
* do not attempt inline menu insertion if it has been disabled for security concerns
* fix typo
* cleanup
* add tests
* chore: update @types/firefox-webext-browser
* fix: add world: MAIN to Firefox page script registration
* review: add world property to registration type
This commit adds use_dynamic_url: true to the extension's web_accessible_resources configuration. When enabled, Chrome generates random session-based GUIDs for extension resource URLs instead of using the predictable static extension ID. This enhances privacy by making extension resource URLs unpredictable and prevents third-party enumeration of installed extensions.
The feature is supported in Chrome 102+ and changes resource URLs from chrome-extension://[static-id]/resource to chrome-extension://[random-guid]/resource, with GUIDs regenerating each browser session while maintaining all existing extension functionality.
Addresses: https://bitwarden.atlassian.net/browse/PM-28344
* PM-27900 harden iframe, origin route tightening and test updates
* reduce comments to make more legible
* Removes referrer check in favor of PM-27822 #17313bitwarden/clients@4206447cfe
* nake token optional since it is later set
* whitelist -> allowlist
* improve notes on unsafe
* improve content handler notes
* order allowlist
* improve jsdoc on ismessagefromextension method
* cover additional test cases
* rename verifytoken and document more clear, update referrer
---------
Co-authored-by: Miles Blackwood <mrobinson@bitwarden.com>
* premium upgrade nudge
* add specs
* clean up vault template and specs
* fix date comparison. add more specs for date
* fix spec
* fix specs
* make prop private
