I would like to understand if it is secure to enable auto-fill menu on form fields in the browser extension. If a page has a malicious script, can’t it simulate Bitwarden menu button clicks (via .click() or .dispatchEvent(MouseEvent)) to steal the password?
Hi @Mihails, great question! The simple answer is that we use sandboxed extension pages to render the overlay UI within closed Shadow DOM elements that are initialized with a randomized element name each time the overlay is first injected. This puts us in a position where script content that exists on a web page cannot pierce through the Shadow DOM elements to affect click events or other inline HTML attributes.
We’ve recently published more details on our Inline Auto-fill feature including a section on security, so I recommend you check that out for more information! 
2 Likes