Discussion: Provide users a way to verify the URI they're using autofill on

[danielphan2003]

On first adding a new URI field, Keyguard should prompt the user to verify that URI's legitimacy.

There are many platforms that needs verification:

Android URIs (aka Android apps):

Verifying Android App Links

• Not all apps use this.

Verifying app signature (derived from the process that Play app signing uses).

• We could save the signature to custom fields, and use that to verify other instances of autofilling later on.

• If the signature is different from what Keyguard has: warn the user before they proceed, and optionally allow them to add this to a list of verified signatures.

Web

• /.well-known directories
• DNS
• HTTP headers

Other platforms

TBD.

IMHO is there already an infrastructure that can do all of this for us? I tried searching for uri attestation and uri verification and none came out.

Edit1: Cross posting this to Reddit.

[AChep]

This is a very good feature to have and I myself was surprised that Bitwarden doesn't support it.

While I also was thinking that I can abuse custom fields to implement any feature (such as tags for example), I would discuss it with the Bitwarden team first (to be able to mark a field as a service field or something like that).

Let's leave this one for the time when I have feature parity with Bitwarden and want to move ahead. 😀