Skip to content

Autofill security improvements#17

Merged
dbro merged 17 commits into
mainfrom
autofill-fixes
Jun 3, 2026
Merged

Autofill security improvements#17
dbro merged 17 commits into
mainfrom
autofill-fixes

Conversation

@dbro

@dbro dbro commented Jun 3, 2026

Copy link
Copy Markdown
Owner

Autofill

  • Harden same-profile autofill authorization and destination validation.
  • Validate destination URL and clicked field before filling sensitive values.
  • Improve autofill popup focus behavior after fills and errors.
  • Show clearer error states for invalid password / one-time-code destination fields.
  • Count autofill popup uses and keep the popup open for repeated single-field insertions.
  • Add visual inserted-field checkmarks after successful single-field insertion.
  • Support named custom fields in autofill sequences, compatible with official Password Safe code
  • Improve incognito / cross-profile pairing messaging.

Vault Settings

  • Add per-writable-vault master password rotation.
  • Allow changing unlock difficulty rounds when changing the master password.
  • Surface vault format and unlock difficulty under a shared SECURITY section for primary and secondary vaults.
  • Preserve secondary vault auto-unlock credentials when rotating the primary vault password.
  • Clear biometric enrollment after primary vault password rotation.
  • Add profile reset action to clear all Portpass configuration settings.
  • Align AUTOFILL section row sizing/spacing with VAULTS section styling.

dbro and others added 17 commits June 1, 2026 09:05
On mobile, opening a record navigates to a full-screen detail pane,
hiding the list. Auto-selecting the best match during search would
unexpectedly navigate away from the list. Restrict the behaviour to
desktop (two-pane layout only).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
pp.focus() was called on the success path but missing from the catch
block in the bookmarklet IIFE; added it to mirror the success path.
Also adds window.focus() in showDestinationFieldError() as a
belt-and-suspenders measure on the popup side.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@dbro dbro merged commit a700cbc into main Jun 3, 2026
7 checks passed
@dbro dbro deleted the autofill-fixes branch June 3, 2026 08:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant