Why is there a whitelist for browser that support autofill?

I have recently noticed that Bitwarden has a hard coded list of browsers where autofill is enabled.

I find it a bit weird to hard code only a couple supported browsers in a project since there are so many chrome based browsers and I don’t like the fact that you have to open a issue or pull request to get them added to the list. Is there any particular security reason why Bitwarden decided to do this and why not just add an option where the user can add browsers he trusts on his own?

Probably because autofill support has to be adapted to each browser.

If you take a look you’ll see there’s a list of browsers that natively support autofill, and another with apps that need a compatibility shim – there’s no way to do this other than explicitly listing application names.

Also, it’s probably a good thing that people can’t just create a browser-like malware that silently keeps info passed to them via Bitwarden’s autofill :slight_smile: