Hi, maybe I’m missing something, but I did a test of what was reported in the first link: bitwarden did not autofill either the 4th or the 5th link, even with autofill enabled on page loading
In the linked Google security research, they notate Bitwarden has a fix bitwarden/clients#3860 which has already been merged.
Direct from the article
Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat.
Hence why in testing this is no longer an issue, thanks for bringing this up though
Spoiler Alert: As demonstrated by the ability of Steve Englehardt’s demo site to “sniff” your login credentials, cross-site scripting can still be used to steal credentials that are auto-filled into invisible forms. The patched security vulnerability only prevents auto-filling from occurring when forms are located on pages that have a CSP sandbox response header or that are located inside sandboxed iframes.
If anybody with the requisite technical expertise (e.g., @mgibson) would be willing to provide a technical explanation of what difference this recent patch makes in the context of the more general XSS vulnerability (which apparently still exists), I would be much obliged.