Bitwarden blocks page load on Edge browser

[Rhywden]

Steps To Reproduce

1) Install Bitwarden extension on Windows 11 Edge 2) Click this link: https://s.leylab.de/3ayTLsrYXp 3) Watch the page being stuck on loading (I made a video comparing Edge, Chrome and Firefox)

And yes, the extension poses this problem exclusively on Edge. Chrome's and Firefox's Bitwarden extensions do not show this.

Expected Result

I expect the page to be loaded completely.

Actual Result

The page is stuck in an eternal loading spinner.

Screenshots or Videos

Video: https://video.bs18.de/Video?id=7450ba16-cc3f-4f69-9016-db2ba379e7bd

Additional Context

The console throws this error:

Denying load of chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh/content/fido2/labdoc.js. Resources must be listed in the web_accessible_resources manifest key in order to be loaded by pages outside the extension.

Operating System

Windows

Operating System Version

22H2 Build 22621.2506

Web Browser

Microsoft Edge

Browser Version

Version 118.0.2088.76 (Offizielles Build) (64-Bit)

Build Version

2023.10.0

Issue Tracking Info

• [X] I understand that work is tracked outside of Github. A PR will be linked to this issue should one be opened to address it, but Bitwarden doesn't use fields like "assigned", "milestone", or "project" to track progress.

[Neonwarden]

Hi there,

I attempted to reproduce your issue and was unable to do so. Please make sure your Windows 11 computer is up to date and you have restarted your device before attempting to reinstall the extension from the Edge extension store.

We use GitHub issues as a place to track bugs and other development-related issues. If your issue persists, please write us back using our contact form, so we can continue troubleshooting: https://bitwarden.com/contact/

You can include a link to this issue in the message content.

Alternatively, you can also search for an answer in our help documentation (https://bitwarden.com/help/) or get help from other Bitwarden users on our community forums (https://community.bitwarden.com/c/support/).

The issue here will be closed.

Thanks!

[Rhywden]

I can reproduce the bug on two different PCs. Not sure why you're immediately closing an issue.

[Neonwarden]

Hi there,

This has been escalated for further investigation. If you have more information that can help us, please add it below.

Thanks!

[yGuy]

I can reproduce this, too. I have a page that doesn't load at all anymore with my browser and Bitwarden extension installed (not even logged in). My system: Microsoft Edge for Business Version 119.0.2151.93 (Official build) (64-bit) Bitwarden - Free Password Manager Version2023.12.0

Website: https://www.yworks.com/yed-live/

Upon first load many images and other stuff breaks. Once you inspect the DOM and the console I can see that many URLs have been replaced according to this schema, which obviously breaks the page:

Original URL: <img data-v-8d85c888="" src="https://www.yworks.com/yed-live/js/../img/yed-live-logo.e7279c01.svg"> Broken URL: <img data-v-8d85c888="" src="chrome-extension://jbkfoedolllekgbhcbcoahefnbanhhlh/content/fido2/../img/yed-live-logo.e7279c01.svg">

This also happens for other URLs (Javascript, etc.) and there does seem to be a timing issue, because reloading the page immediately typically resolves the issue. The above elements are being inserted dynamically into the DOM and it seems that Bitwarden hooks into these DOM changes and makes these URL replacements, breaking the page.

[yGuy]

I just debugged the example of the original poster: The problem is that there is code in "sciencelab.js" that tries to find the script path by looking at script tags in the page. It expects to only find its own scripts and trips over the injected fido2 page script.

So at least this one is not really a bug in plugin, but the plugin triggers a bug in the code because the page gets modified at a point in time where the page author did not expect the page to be modified, yet.

I will try to see if this is also the reason for my repro.

[yGuy]

I think I found the problem for my repro, too. The issue is the injected script tag that trips over tools like webpack, which under certain configurations will check the url of the last script tag and expect it to be a "good" one, but they find the "chrome-extension" url and then start loading stuff via that URL. If you are using WebPack with an "auto" basepath resolution, but you are building for both legacy IE browsers and modern browsers, then webpack will use the fallback code that can be fooled by the injected script tag.

[Rhywden]

I just debugged the example of the original poster: The problem is that there is code in "sciencelab.js" that tries to find the script path by looking at script tags in the page. It expects to only find its own scripts and trips over the injected fido2 page script.

So at least this one is not really a bug in plugin, but the plugin triggers a bug in the code because the page gets modified at a point in time where the page author did not expect the page to be modified, yet.

I will try to see if this is also the reason for my repro.

I forgot to include that the authors of this page replied to me that this is actually intended on their end in order to prevent outside modification.

[yGuy]

I forgot to include that the authors of this page replied to me that this is actually intended on their end in order to prevent outside modification.

Classic answer: It's not a bug it's a feature!

Honestly: that's a lie of a developer who is sick of working against broken browser extensions. I saw the code on your page and that is definitely not the intention of the code. If the plugin was added in another location that "feature" would not work.

[Rhywden]

Thing is that I'm not seeing why this injection is even necessary - neither do I have FIDO2 enabled nor have I saved credentials for that particular site.

[yGuy]

Is this used for logging in ? This is even injected into the site when you aren't even logged in into Bitwarden.

[navee]

Reverting to version 2023.9 resolves the issue related to a script injection problem mentioned in #7080, which alters the url of style sheets or script when injecting the page-script.js script.