I’m a developer, and run local web servers for in-process apps that I’m working on. I’d like to exclude all aspects of Bitwarden from those local apps. I tried adding the dev domain to Excluded Domains, but Bitwarden still shows auto-fill menus on form fields it thinks are part of a login form, for example.
My proposal would be to add a checkbox to the Excluded domains settings page labelled something like ‘Remove all Bitwarden functionality from this domain’. It would be a bit like the uBlockOrigin ‘disable for this site’ feature, in that the extension would not try to do anything.
I’ve had cases where Bitwarden error logs are generated in the browser console for these apps, as I’m using HMR and the inspector to add / remove DOM elements, and Bitwarden tries to add a menu to an element that suddenly no longer exists. The browser console filtering doesn’t seem to offer ‘negative search’ so that I can’t easily exclude Bitwarden logs from the application logs that I’m trying to analyse, so that would be a great help too.
I think that this proposal is a bit too coarse-grained, and may not get traction. There are use-cases in which someone may want to stop the prompts for saving/updating passwords on a site, but still would like for auto-fill to work on that site (using the keyboard shortcut or auto-fill on page load). Or they may want to block Bitwarden passkey prompts on a site while maintaining some kind of auto-fill functionality.
A more actionable feature request IMO would be what I had suggested in the linked discussion:
Bitwarden should block the injection of inline autofill menus for all domains on the Excluded Domains list.
This is more congruent with the existing functionality of the Excluded Domains list, which currently blocks DOM injection for the purpose of prompting to save logins and for the purpose of prompting to save/use passkeys.
Preventing the Bitwarden browser extension from doing URI matching and auto-filling (i.e., auto-fill using methods other than the new inline menu icon) will have unintended consequences, and will also require a significant rewrite of the code. In addition, requiring the Excluded Domains list to block these additional functions is unnecessary, because there are already other techniques available for preventing URI matching and auto-filling.