Allow fields containing user scripts (aka GreaseMonkey aka ViolentMonkey) to ease quirky logins

Feature name

per-Item user script hooks

Feature function

  • What will this feature do differently?
  • What benefits will this feature bring?
  • Remember to add a tag for each client application that will be affected

What will this feature do differently?

If an Item included a Field named userscript:run-at:document-end (or one of the @run-at directives (https://violentmonkey.github.io/api/metadata-block/#run-at), then when the Item’s URL matches the Bitwarden extension would allow customization of the DOM in preparation for a better auto-fill experience by executing the user-controlled payload

At Bitwarden’s discretion whether the hooks were more password-manager-centric, such as before-fill, after-fill type deal

If the payload fails, at Bitwarden’s discretion whether to attempt to display some failure, or just console.error like any other script error

What benefits will this feature bring?

As the supporting links demonstrate below, currently the burden is upon the user to either manually mutate the page using their own mechanisms, or to install a User Script provider extension to work-around the seemingly infinite ways login pages can be written. By consolidating the “fix” into the Bitwarden Item for that website, it allows the user to self-service without increasing their attack surface by installing other extensions

What risks will this feature introduce?

  • scope creep is a very real thing!
  • a partially applied DOM mutation may leave the page in a state that Bitwarden cannot auto-fill anymore
  • it could increase the support burden, as bad user script execution may be blamed on Bitwarden, even when the user has explicitly asked for the non-standard behavior
  • the worst(?) outcome would be a bug in the user script application process itself, meaning that neither the script is applied nor potentially the normal auto-fill behavior running

Remember to add a tag for each client application that will be affected

I have included app:browser, which I presume is the extensions, but I am not aware of cross-platform mechanisms that would be applicable to the Android and iOS autofill mechanism. Comments welcome!

Related topics + references

  • Are there any related topics that may help explain the need and function of this feature?
  • Are there any references to this feature or function on other platforms that may be helpful?

I am not aware of this behavior on any other platform, and thus would be a real game changer for Bitwarden. Since there is already a browser extension, and it already has the ability to mutate the target page, it is a natural pairing

  • https://github.com/bitwarden/clients/issues/920#issuecomment-485824263
  • https://github.com/bitwarden/clients/issues/1051#issuecomment-626264166
  • https://old.reddit.com/r/Bitwarden/comments/whwq4w/work_around_for_the_treasury_direct_site/ij8gq95/

and maybe a ton more


the URLs are in backticks because Discourse thinks I’m a spammer