Update Autofill to detect url bar webDomain for certain browsers

[david-livefront]

🎟️ Tracking

PM-27708
PM-27941

📔 Objective

This PR adds support for specific browsers to provide the website information by parsing it from the url bar field in the ViewNode graph.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 13fa4b46-8234-455b-8f48-11ab244f0a3e

Great job! No new security vulnerabilities introduced in this pull request

[codecov]

Codecov Report

❌ Patch coverage is 85.96491% with 16 lines in your changes missing coverage. Please review.
✅ Project coverage is 84.99%. Comparing base (f364679) to head (d5e4125).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...twarden/data/autofill/parser/AutofillParserImpl.kt	67.56%	1 Missing and 11 partials ⚠️
...atform/feature/settings/autofill/AutoFillScreen.kt	92.85%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6141      +/-   ##
==========================================
+ Coverage   84.48%   84.99%   +0.51%     
==========================================
  Files         839      723     -116     
  Lines       55065    52854    -2211     
  Branches     7697     7676      -21     
==========================================
- Hits        46520    44925    -1595     
+ Misses       5857     5246     -611     
+ Partials     2688     2683       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[claude]

Claude finished @david-livefront's task —— View job

---

Code Review Complete

Overall Assessment: REQUEST CHANGES

Critical Issues:

• Missing KDoc documentation on public functions and properties
• Test coverage gap (52.94% patch coverage, 16 lines missing)
• Potential security/privacy concern with URL bar parsing approach

See inline comments for details.

---

Summary

This PR introduces URL bar detection for autofill in specific browsers (Microsoft Edge, Samsung Internet, Opera) by parsing the webDomain from URL bar fields. The implementation follows established patterns but has several areas requiring attention:

Architecture & Patterns: ✓ Follows MVVM architecture, proper DI with Hilt, and repository pattern
Security Considerations: ⚠️ Introduces new attack surface - see security finding below
Test Coverage: ❌ 52.94% patch coverage is below project standards
Documentation: ❌ Missing required KDoc on public APIs

Findings

Finding 1: ❌ Missing KDoc documentation on multiple public APIs violates project standards

The following public properties and functions lack required KDoc documentation per docs/STYLE_AND_BEST_PRACTICES.md:

• SettingsRepository.isAutofillWebDomainCompatMode (app/src/main/kotlin/com/x8bit/bitwarden/data/platform/repository/SettingsRepository.kt:158-160)
• ViewNodeTraversalData.urlBarWebsites property (app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/model/ViewNodeTraversalData.kt:10)
• AutofillView.updateWebsiteIfNecessary() function (app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/parser/AutofillParserImpl.kt:320-340)

Finding 2: ⚠️ Security/privacy consideration: URL bar parsing creates potential attack surface

Details

The implementation parses webDomain from URL bar fields to determine the autofill context. This approach has security implications:

Risk: A malicious app could potentially spoof URL bar data by creating ViewNodes with matching idEntry values and crafted webDomain content, causing Bitwarden to autofill credentials for the wrong domain.

Mitigation Present: The warning dialog in the UI correctly communicates this is "less secure" and warns about malicious sites, which is good. The feature is also opt-in (disabled by default).

Recommendation: Consider documenting the threat model implications in code comments within AutofillParserImpl.kt around lines 93-96 where urlBarWebsite is extracted. This would help future maintainers understand the security trade-offs.

Example:

// SECURITY NOTE: URL bar detection uses ViewNode.webDomain from browser URL fields
// to determine autofill context. This is less secure than standard autofill as:
// 1. It relies on idEntry matching (spoofable by malicious apps)
// 2. webDomain content is not cryptographically verified
// This feature is opt-in and warns users of these risks.
val urlBarWebsite = traversalDataList
    .flatMap { it.urlBarWebsites }
    .firstOrNull()
    ?.takeIf { settingsRepository.isAutofillWebDomainCompatMode }

Finding 3: ❌ Insufficient test coverage (52.94% patch coverage)

Details

Codecov reports 16 lines missing coverage. Key gaps:

1. AutofillParserImpl.kt:320-340 - The new updateWebsiteIfNecessary() function lacks branch coverage tests:

   • Not testing all AutofillView subtype branches (only Login.Username is covered)
   • Missing test for Card types (Brand, CardholderName, ExpirationDate, etc.)
   • Missing test for Unused type

2. AutofillParserImpl.kt:280-284 - URL bar detection logic in traverse():

   • Missing test coverage for when storedUrlBarId is non-null but idEntry doesn't match
   • Missing test for multiple URL bar websites being accumulated (line 308)

3. UI/ViewModel - While basic toggle tests exist, missing:

   • Test for dialog dismissal/cancellation flows
   • Test verifying accessibility semantics on Learn More link

Required Actions:

• Add tests covering all branches of updateWebsiteIfNecessary() for each AutofillView type
• Add test for multiple URL bar nodes in ViewNode hierarchy
• Consider snapshot/screenshot tests for the warning dialog UI

Finding 4: 💭 Consider extracting URL_BARS map to configuration

Details

The URL_BARS map at app/src/main/kotlin/com/x8bit/bitwarden/data/autofill/parser/AutofillParserImpl.kt:35-44 hardcodes browser package names and URL bar field IDs.

Consideration: As more browsers are added, this could become maintenance-heavy. Consider:

1. Moving to a separate configuration file/class for easier updates
2. Documenting how to determine idEntry values for new browsers
3. Adding a comment explaining why only these specific browsers are supported

This is not blocking but would improve maintainability.

Finding 5: 🎨 Improve string resource formatting consistency

Details

In ui/src/main/res/values/strings.xml:1156-1158:

The warning message is quite long (49 words). Consider breaking into shorter, more digestible sentences for better i18n and readability:

<string name="compatibility_mode_warning">Compatibility mode should only be enabled if autofill doesn't work in your browser. This setting reduces security and could allow malicious sites to capture your passwords. Only enable it if you accept this risk.</string>


<string name="compatibility_mode_warning">Compatibility mode should only be enabled if autofill doesn\'t work in your browser.\n\nThis setting reduces security and could allow malicious sites to capture your passwords.\n\nOnly enable it if you accept this risk.</string>

Adding line breaks improves scannability in the dialog.

Finding 6: 💭 Question about browser selection criteria

Details

The PR includes Edge, Samsung Internet, and Opera browsers. From the Jira tickets context:

• Are there other major browsers that would benefit from this (Firefox, Brave, DuckDuckGo)?
• What's the criteria for adding a browser to this list?
• Should there be a mechanism for users to manually configure URL bar fields for unsupported browsers?

This isn't blocking, but clarification would help understand the long-term strategy.

---

Positive Observations

👍 Excellent architecture compliance - proper separation of concerns across data/UI layers
👍 Good use of feature flag pattern (opt-in setting)
👍 Warning dialog appropriately communicates security risks to users
👍 Comprehensive ViewModel tests for the happy path
👍 Proper use of StateFlow and action handling in ViewModel
👍 String resources properly externalized for i18n

---

Required Changes

1. ❌ Add KDoc documentation to all public APIs (Finding 1)
2. ❌ Increase test coverage to at least 80% for new code (Finding 3)
3. ⚠️ Add security threat model comments (Finding 2 - recommended but not blocking)

[claude]

❌ Missing required KDoc documentation

Details

Per docs/STYLE_AND_BEST_PRACTICES.md line 273: "All public classes, functions, and properties should include documentation in the KDoc style."

Required:

/**
 * Whether or not autofill web domain compatibility mode is enabled. When enabled,
 * autofill will parse website information from browser URL bar fields for supported
 * browsers. This is less secure than standard autofill.
 *
 * Defaults to `false` (disabled).
 */
var isAutofillWebDomainCompatMode: Boolean

This property is part of the public SettingsRepository interface and requires documentation explaining:

1. What the setting controls
2. Security implications
3. Default value

[claude]

❌ Missing KDoc for property parameter

Details

Per docs/STYLE_AND_BEST_PRACTICES.md line 297-307, data classes with more than 2 constructor properties must document each individually using @property.

Required:

/**
 * A convenience data structure for view node traversal.
 *
 * @property autofillViews The list of views we care about for autofilling.
 * @property idPackage The package id for this view, if there is one.
 * @property urlBarWebsites The list of website URLs detected from browser URL bar fields,
 *     extracted when compatibility mode is enabled for supported browsers.
 * @property ignoreAutofillIds The list of [AutofillId]s that should be ignored in the fill response.
 */
data class ViewNodeTraversalData(
    val autofillViews: List<AutofillView>,
    val idPackage: String?,
    val urlBarWebsites: List<String>,
    val ignoreAutofillIds: List<AutofillId>,
)

The urlBarWebsites property was added but not documented in the class-level KDoc.

[claude]

❌ Missing KDoc documentation for private function

Details

While this is a private function, it performs an important operation and should be documented per best practices (line 273 of STYLE_AND_BEST_PRACTICES.md allows optional documentation for private members, but this function's complexity warrants it).

Suggested:

/**
 * Updates the underlying [AutofillView.data] with the given [website] if the view does not already
 * have a website associated with it. This is used to populate website information from browser
 * URL bar fields when compatibility mode is enabled.
 *
 * @param website The website URL to set, or null to leave unchanged.
 * @return A new [AutofillView] instance with the updated website, or the original view if
 *     [website] is null or a website already exists.
 */
private fun AutofillView.updateWebsiteIfNecessary(website: String?): AutofillView {

This improves code comprehension and explains the behavior of returning early when website already exists or when the parameter is null.

[claude]

⚠️ Security consideration: Add threat model documentation

Details

This code extracts website information from URL bar fields, which has security implications. Consider adding a comment documenting the threat model:

// SECURITY NOTE: URL bar detection uses ViewNode.webDomain from browser URL fields
// to determine autofill context. This approach has known limitations:
// 1. Relies on idEntry matching which could be spoofed by malicious apps
// 2. webDomain content is not cryptographically verified by the OS
// 3. Only enabled when user explicitly opts-in via isAutofillWebDomainCompatMode
// See PM-27708 for security analysis and user warnings in the settings UI.
val urlBarWebsite = traversalDataList
    .flatMap { it.urlBarWebsites }
    .firstOrNull()
    ?.takeIf { settingsRepository.isAutofillWebDomainCompatMode }

This helps future maintainers understand why this feature is opt-in and what the security trade-offs are.

[claude]

💭 Consider adding documentation for URL_BARS map maintenance

Details

Suggested improvement:

/**
 * A map of package IDs to their known URL bar field identifiers.
 * 
 * To add a new browser:
 * 1. Enable Android's "Show view attribute inspection" in Developer Options
 * 2. Use Android Studio's Layout Inspector on the browser's URL bar
 * 3. Locate the ViewNode's idEntry value for the URL/address field
 * 4. Add mapping: "package.name" to "id_entry_value"
 * 
 * Supported browsers:
 * - Microsoft Edge (all variants)
 * - Samsung Internet (stable and beta)
 * - Opera (stable and beta)
 */
private val URL_BARS: Map<String, String> = mapOf(

This makes it easier for contributors to add new browsers and understand how these IDs were determined.

[claude]

❌ Missing test coverage for all AutofillView subtypes

Details

The existing tests only cover AutofillView.Login.Username. The updateWebsiteIfNecessary() function has branches for all AutofillView types (lines 320-340 in AutofillParserImpl.kt), but these aren't tested:

Missing test cases:

1. Card types: Brand, CardholderName, ExpirationDate, ExpirationMonth, ExpirationYear, Number, SecurityCode
2. Login.Password
3. Unused type

Suggested test structure:

@Test
fun `parse updates Card autofill views with URL bar website when compat mode enabled`() {
    // Test with Card.Number view
    // Verify website is populated from URL bar
}

@Test
fun `parse does not override existing website in AutofillView when URL bar present`() {
    // Setup view with existing website
    // Verify URL bar website doesn't override it
}

@Test
fun `parse handles multiple URL bar nodes by using first match`() {
    // Setup traversal with multiple urlBarWebsites entries
    // Verify first website is used (per line 95: .firstOrNull())
}

This will bring patch coverage above 80% and ensure all code paths are verified.

[david-livefront]

Thanks @SaintPatrck