Upstream/bitwarden-browser
1
0
Fork 0
mirror of https://github.com/bitwarden/browser.git synced 2025-03-11 13:30:39 +01:00
Code Issues Projects Releases Wiki Activity

[PM-1498] Update the iframe autofill alert text (#5364)

Browse Source 
* update text for iframe autofill warning confirm dialog

* use localized confirmation messages

* rewrite urlNotSecure

Co-authored-by: Cesar Gonzalez <cesar.a.gonzalezcs@gmail.com>

---------

Co-authored-by: Cesar Gonzalez <cesar.a.gonzalezcs@gmail.com>
This commit is contained in:
Jonathan Prusik 2023-05-10 11:27:33 -04:00 committed by GitHub
parent 6f34fcb86e
commit a64cecff68
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 93 additions and 57 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
apps/browser/src/_locales/en/messages.json
View File

@ -1461,6 +1461,24 @@
"autoFillSuccess": {
"message": "Item auto-filled "
},
"insecurePageWarning": {
"message": "Warning: This is an unsecured HTTP page, and any information you submit can potentially be seen and changed by others. This Login was originally saved on a secure (HTTPS) page."
},
"insecurePageWarningFillPrompt": {
"message": "Do you still wish to fill this login?"
},
"autofillIframeWarning": {
"message": "The form is hosted by a different domain than the URI of your saved login. Choose OK to auto-fill anyway, or Cancel to stop."
},
"autofillIframeWarningTip": {
"message": "To prevent this warning in the future, save this URI, $HOSTNAME$, to your Bitwarden login item for this site.",
"placeholders": {
"hostname": {
"content": "$1",
"example": "www.example.com"
}
}
},
"setMasterPassword": {
"message": "Set master password"
},

36
apps/browser/src/autofill/content/autofill.js
View File

@ -741,14 +741,29 @@
// Check if URL is not secure when the original saved one was
function urlNotSecure(savedURLs) {
var passwordInputs = null;
if (!savedURLs) {
if (!savedURLs || !savedURLs.length) {
return false;
}
return savedURLs.some(url => url?.indexOf('https://') === 0) && 'http:' === document.location.protocol && (passwordInputs = document.querySelectorAll('input[type=password]'),
0 < passwordInputs.length && (confirmResult = confirm('Warning: This is an unsecured HTTP page, and any information you submit can potentially be seen and changed by others. This Login was originally saved on a secure (HTTPS) page.\n\nDo you still wish to fill this login?'),
0 == confirmResult)) ? true : false;
const confirmationWarning = [
chrome.i18n.getMessage("insecurePageWarning"),
chrome.i18n.getMessage("insecurePageWarningFillPrompt", [window.location.hostname])
].join('\n\n');
if (
// At least one of the `savedURLs` uses SSL
savedURLs.some(url => url.startsWith('https://')) &&
// The current page is not using SSL
document.location.protocol === 'http:' &&
// There are password inputs on the page
document.querySelectorAll('input[type=password]')?.length
) {
// The user agrees the page is unsafe or not
return !confirm(confirmationWarning);
}
// The page is secure
return false;
}
// Detect if within an iframe, and the iframe is sandboxed
@ -777,10 +792,13 @@
// confirm() is blocked by sandboxed iframes, but we don't want to fill sandboxed iframes anyway.
// If this occurs, confirm() returns false without displaying the dialog box, and autofill will be aborted.
// The browser may print a message to the console, but this is not a standard error that we can handle.
var acceptedIframeWarning = confirm("The form is hosted by a different domain than the URI " +
"of your saved login. Choose OK to auto-fill anyway, or Cancel to stop. " +
"To prevent this warning in the future, save this URI, " +
window.location.hostname + ", to your login.");
const confirmationWarning = [
chrome.i18n.getMessage("autofillIframeWarning"),
chrome.i18n.getMessage("autofillIframeWarningTip", [window.location.hostname])
].join('\n\n');
const acceptedIframeWarning = confirm(confirmationWarning);
if (!acceptedIframeWarning) {
return;
}