* turn off inline experience if host page aggressively competes for top of top-layer
* add alert message for top-layer hijack scenarios
* widen the backoff threshold
* refactor backoff logic to include popover attribute mutations
* improve getPageIsOpaque check
* do not attempt inline menu insertion if it has been disabled for security concerns
* fix typo
* cleanup
* add tests
* chore: update @types/firefox-webext-browser
* fix: add world: MAIN to Firefox page script registration
* review: add world property to registration type
This commit adds use_dynamic_url: true to the extension's web_accessible_resources configuration. When enabled, Chrome generates random session-based GUIDs for extension resource URLs instead of using the predictable static extension ID. This enhances privacy by making extension resource URLs unpredictable and prevents third-party enumeration of installed extensions.
The feature is supported in Chrome 102+ and changes resource URLs from chrome-extension://[static-id]/resource to chrome-extension://[random-guid]/resource, with GUIDs regenerating each browser session while maintaining all existing extension functionality.
Addresses: https://bitwarden.atlassian.net/browse/PM-28344
* PM-27900 harden iframe, origin route tightening and test updates
* reduce comments to make more legible
* Removes referrer check in favor of PM-27822 #17313bitwarden/clients@4206447cfe
* nake token optional since it is later set
* whitelist -> allowlist
* improve notes on unsafe
* improve content handler notes
* order allowlist
* improve jsdoc on ismessagefromextension method
* cover additional test cases
* rename verifytoken and document more clear, update referrer
---------
Co-authored-by: Miles Blackwood <mrobinson@bitwarden.com>
* premium upgrade nudge
* add specs
* clean up vault template and specs
* fix date comparison. add more specs for date
* fix spec
* fix specs
* make prop private
* PM-4903- added a check for auth status and popout tabs, if no popup tab and auth is locked, abandon autofill
* add test
* clear all notifications if unlock popout closed
* add more tests and use tabid for performance optimization
* feat: add support for IPC client managed session storage
* feat: update SDK
* fix: using undecorated service in jslib module directly
* feat: add test case for web
* chore: document why we use any type
* fix: `ipc` too short
* typo: omg
* Revert "typo: omg"
This reverts commit 559b05eb5a.
* Revert "fix: `ipc` too short"
This reverts commit 35fc99e10b.
* fix: use camelCase
* Fix reviews not saving in new applications review. Skip assign page if no at risk passwords are to be assigned. Fix bug in password change widget
* Claude comment improvements
* Remove internal use of getUserKey in the key service
* Move ownership of RotateableKeySet and remove usage of getUserKey
* Add input validation to createKeySet
* PM-26916 utilize opid on focused fields as first validation in order to avoid erroneously filling other similar fields
* extract logic to helper and take totp and multiple forms into account
* run prettier
* avoid filling with opid if already filled
* clean up comments and avoid early return so all fields are scanned
* add tests
* allow for search while vault is loading
* fix comment wording
* remove subscription return value - it is not used
* update `distinctUntilChanged` to account for tuple
* use feature flag to determine search pattern
* fix tests & lint issues
* fix lint errors part 2
