Please add Firefox Nightly to fido2_privileged_allow_list.json. #3315
Comments
|
Hi there, Thank you for your report! This has been flagged to our engineering team. |
|
Can Iceraven also be added? Firefox fork for Android https://github.com/fork-maintainers/iceraven-browser |
|
Fennec (F-Droid's fork of Firefox) also seems to be not in the list. |
|
Mull also isn't privileged. |
|
How are browser developers on Android expected to work around this when testing passkey support with Bitwarden? |
|
This issue was introduced by: Could we be informed of the reasoning behind PM-7658 and why it's beneficial and/or necessary for Bitwarden to implement its own verification on top of Android's existing passkey flow? |
|
Seconding bb010g: This seems like a poor design choice. What benefit is there to locking out uncommon/nonstandard browsers from passkey usage? Surely it should be the user's responsibility to avoid unsafe browsers, not Bitwarden's to refuse to interoperate with them. If there really is a need for this, perhaps a setting could be added by which users can whitelist specific apps (such as Firefox Nightly) to be considered privileged, so that at the very least it isn't something that requires a PR to fix for each new browser. |
|
How's it looking? |
|
@vvolkgang @fedemkr Please give some priority to this issue. A whole set of users are not able to use passkeys because your team forgot to include Firefox Nightly in the allowed browsers list. We have Chrome canary in the list but not firefox nightly. Why user choice is being taken away in the first place? Why should I only use the browsers mentioned in the list? It feels like the team's priority is to make meaningless design changes instead of fixing the bugs which are significantly hammering the usuability. |
|
👋🏾 We're following Google's security guidelines and API requirements, as documented here: https://developer.android.com/identity/sign-in/credential-provider#obtain-allowlist In the new bitwarden/android repository we recently improved this approach by creating a community supported allow list file where you'll find some of the browsers previously mentioned in this thread and are also free to contribute to with additional browsers: https://github.com/bitwarden/android/blob/main/app/src/main/assets/fido2_privileged_community.json |
|
@vvolkgang Thanks for the update. I am sorry for being harsh. Will look forward to release of the new bitwarden android app. |
|
@vvolkgang I'm glad to see the new process for the rewrite. Could allowlist changes from there be mechanically backported to here until the original app is deprecated? |
Hi, this list should not be hardcoded (even if done through community sourcing), instead there should be a user setting to add browser package names to the list in the app that is passed onto the API. Defaults can be provided but should not be the end all be all. What happens if another browser is created? Users have to wait for it to be added to the community whitelist? Why not make it user configurable, and you can keep the(default) whitelist if you want to? |
|
In fact, the Firefox Nightly |
Steps To Reproduce
Expected Result
Bitwarden shows (fingerprint)authentication form and continues to website.
Actual Result
An error occurred. "Passkey operation failed because browser is not privileged"
Screenshots or Videos
No response
Additional Context
There is no Firefox nightly(org.mozilla.fenix) in
fido2_privileged_allow_list.json.Operating System
Android
Operating System Version
14
Device
Samsung Galaxy S24+
Build Version
2024.5.1 (10574)
Beta
The text was updated successfully, but these errors were encountered: