A question about security fix for auto-filling into web pages with CSP sandbox

Artem_Baranov · January 31, 2023, 3:31pm

Hello, folks.

I’m a newbie here, just wanted to clarify one thing about the security fix that was implemented for subj.

github.com/bitwarden/clients

[PS-1735] Do not autofill if sandboxed

bitwarden:master ← bitwarden:honor-sandbox-in-autofill

opened 09:10PM - 20 Oct 22 UTC

MGibson1

+8 -1

## Type of change ``` - [ ] Bug fix - [ ] New feature development - [ …] Tech debt (refactoring, code cleanup, dependency upgrades, etc) - [ ] Build/deploy pipeline (DevOps) - [ ] Other ``` ## Objective Honor the sandbox attribute of CSP and iframes. Note: `self.origin` is 'null' if inside a frame with sandboxed csp or iframe tag ## Before you submit - Please add **unit tests** where it makes sense to do so (encouraged but not required) - If this change requires a **documentation update** - notify the documentation team - If this change has particular **deployment requirements** - notify the DevOps team

Frankly, not sure, that I understand why this case poses a security risk for the password manager’s browser extension. Web pages with CSP sandbox property have got even stronger protection against scam activity and what are connections between this CSP directive and security restrictions that are imposed on in-browser password managers. The research also mentions that such web pages are always classified as untrusted, it’s also unclear… Thank you in advance.

grb · January 31, 2023, 8:14pm

A post was merged into an existing topic: Google-discovered vulnerability in Bitwarden

grb · January 31, 2023, 8:15pm

@Artem_Baranov Welcome to the forum! I moved your question into an existing thread on the same topic.