From 337e406e880d6bb8470593475a46d9936369e7b9 Mon Sep 17 00:00:00 2001 From: Matt Gibson Date: Fri, 4 Nov 2022 11:44:21 -0400 Subject: [PATCH] [PS-1734] Send saved urls to autofill script (#3861) * Send all saved url to autofill script * Handle array of matched urls in content script * Prompt at most once to override insecure autofill * Do not send never match URIs to content script We know these URIs did not cause the autofill match, so we can safely remove these from the list of potential matches. --- apps/browser/src/content/autofill.js | 11 ++++++----- apps/browser/src/models/autofillScript.ts | 1 + apps/browser/src/services/autofill.service.ts | 3 +++ 3 files changed, 10 insertions(+), 5 deletions(-) diff --git a/apps/browser/src/content/autofill.js b/apps/browser/src/content/autofill.js index d7b9db2aeb..ee4dfab1b0 100644 --- a/apps/browser/src/content/autofill.js +++ b/apps/browser/src/content/autofill.js @@ -41,6 +41,7 @@ 8. Add ability to autofill span[data-bwautofill] elements 9. Add new handler, for new command that responds with page details in response callback 10. Handle sandbox iframe and sandbox rule in CSP + 11. Work on array of saved urls instead of just one to determine if we should autofill non-https sites */ function collect(document, undefined) { @@ -631,14 +632,14 @@ animateTheFilling = true; // Check if URL is not secure when the original saved one was - function urlNotSecure(savedURL) { + function urlNotSecure(savedURLs) { var passwordInputs = null; - if (!savedURL) { + if (!savedURLs) { return false; } - return 0 === savedURL.indexOf('https://') && 'http:' === document.location.protocol && (passwordInputs = document.querySelectorAll('input[type=password]'), - 0 < passwordInputs.length && (confirmResult = confirm('Warning: This is an unsecured HTTP page, and any information you submit can potentially be seen and changed by others. This Login was originally saved on a secure (HTTPS) page.\\n\\nDo you still wish to fill this login?'), + return savedURLs.some(url => url.indexOf('https://') === 0) && 'http:' === document.location.protocol && (passwordInputs = document.querySelectorAll('input[type=password]'), + 0 < passwordInputs.length && (confirmResult = confirm('Warning: This is an unsecured HTTP page, and any information you submit can potentially be seen and changed by others. This Login was originally saved on a secure (HTTPS) page.\n\nDo you still wish to fill this login?'), 0 == confirmResult)) ? true : false; } @@ -660,7 +661,7 @@ fillScriptProperties.delay_between_operations && (operationDelayMs = fillScriptProperties.delay_between_operations); - if (isSandboxed() || urlNotSecure(fillScript.savedURL)) { + if (isSandboxed() || urlNotSecure(fillScript.savedUrls)) { return; } diff --git a/apps/browser/src/models/autofillScript.ts b/apps/browser/src/models/autofillScript.ts index 509c1da87b..f18ac4ff69 100644 --- a/apps/browser/src/models/autofillScript.ts +++ b/apps/browser/src/models/autofillScript.ts @@ -5,6 +5,7 @@ export default class AutofillScript { options: any = {}; metadata: any = {}; autosubmit: any = null; + savedUrls: string[]; constructor(documentUUID: string) { this.documentUUID = documentUUID; diff --git a/apps/browser/src/services/autofill.service.ts b/apps/browser/src/services/autofill.service.ts index fe7837dd4b..470bd584cf 100644 --- a/apps/browser/src/services/autofill.service.ts +++ b/apps/browser/src/services/autofill.service.ts @@ -6,6 +6,7 @@ import { CipherRepromptType } from "@bitwarden/common/enums/cipherRepromptType"; import { CipherType } from "@bitwarden/common/enums/cipherType"; import { EventType } from "@bitwarden/common/enums/eventType"; import { FieldType } from "@bitwarden/common/enums/fieldType"; +import { UriMatchType } from "@bitwarden/common/enums/uriMatchType"; import { CipherView } from "@bitwarden/common/models/view/cipher.view"; import { FieldView } from "@bitwarden/common/models/view/field.view"; @@ -305,6 +306,8 @@ export default class AutofillService implements AutofillServiceInterface { let pf: AutofillField = null; let username: AutofillField = null; const login = options.cipher.login; + fillScript.savedUrls = + login?.uris?.filter((u) => u.match != UriMatchType.Never).map((u) => u.uri) ?? []; if (!login.password || login.password === "") { // No password for this login. Maybe they just wanted to auto-fill some custom fields?