search

jfitzell / mozilla-keychain

Store your Firefox website usernames and passwords in Apple's Keychain Services, just like Safari and other browsers do on OS X.
55 stars 9 forks source link

Extension does not work in FF 57+ due to Mozilla removing necessary interfaces #88

Open bkimmett opened 7 years ago

bkimmett commented 7 years ago

OK so, as of Firefox 57, released at the end of 2017, XUL and Addon SDK extensions (including this one) won't work - Keychain Services Integration will need to be ported to WebExtensions, if this is possible. (See https://developer.mozilla.org/en-US/Add-ons/WebExtensions/Porting_a_legacy_Firefox_add-on for more info about the change.)

I've started the ball rolling by filing a bug in Bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=1362981) requesting that a WebExtensions version of the login manager API be added.

bkimmett commented 7 years ago

OK, it looks like the Firefox team is working on adding a nsiLoginManager equivalent to Firefox:

https://github.com/web-ext-experiments/logins

Still looking into getting WebExtensions equivalent of nsiLoginManagerStorage API.

jfitzell commented 7 years ago

Thanks for kicking this off. I'm skeptical they'll add it, but let's see what happens!

(I've added a comment to https://bugzilla.mozilla.org/show_bug.cgi?id=1344788)

sierkb commented 6 years ago

Any progress on this issue? Firefox 57 release is just around the corner, Firefox 57 betas (with which this extension doesn't function any longer) are just into the public. What next? Alternatives?

bkimmett commented 6 years ago

We're still waiting on the loginStorage API. Which is waiting on the logins API, which is waiting on a security review. It looks like on Bugzilla they've said it won't be in 57 but it might be in 58?

(This isn't the only addon that's just going to be broken with no alternative for a version. I'm working on Cookie Monster...)

sierkb commented 6 years ago

See from today these comments and tracking changes and backchanges:

Bugzilla Bug 106400: [RFE] Pwmgr should support OS X Keychain https://bugzilla.mozilla.org/show_bug.cgi?id=106400#c100 (me) -> https://bugzilla.mozilla.org/show_bug.cgi?id=106400#c101

Bugzilla Bug 1362981: Request WebExtensions API equivalent to nsiLoginManager https://bugzilla.mozilla.org/show_bug.cgi?id=1362981#c5 (me) -> https://bugzilla.mozilla.org/show_bug.cgi?id=1362981#a12192834_580382

Bugzilla Bug 1324919: Land logins API https://bugzilla.mozilla.org/show_bug.cgi?id=1324919#c16 (me) -> https://bugzilla.mozilla.org/show_bug.cgi?id=1324919#a24164072_580382

Bugzilla Bug 1344788: Implement login storage API https://bugzilla.mozilla.org/show_bug.cgi?id=1344788#c12** (me) -> https://bugzilla.mozilla.org/show_bug.cgi?id=1344788#a17613514_580382

How to accelerate, how to revive the issue, which now is very pestering and urgent, having the release date of FF57 just around the corner?

bkimmett commented 6 years ago

Yeah, I just checked the bugs you linked to and they've been updated with "wontfix" on the Firefox 57 status. I think our best bet is to make a big noise to try and get it into Firefox 58.

sierkb commented 6 years ago

Yes. This (to make a big noise to try and get it in as soon as any possible, at least into Firefox 58, if 57 is lost and too late) had to be made much much earlier. But better late than never tried and given up without a struggle.

MikkCZ commented 6 years ago

Wouldn't be possible and more beneficial porting the functionality based on the original code directly into Firefox? I believe there are open bugs to support macOS keychain in Firefox.

EDIT: It's bug 106400. @mnoorenberghe is listed as triage owner, so he could probably give you some help or direction to someone who can.

jfitzell commented 6 years ago

Wouldn't be possible and more beneficial porting the functionality based on the original code directly into Firefox? I believe there are open bugs to support macOS keychain in Firefox.

Possibly. You'll see that bug has been open for 16 years with nothing having been done. Over the years I've maintained the extension, I've had no support when it came to things like application signing that were necessary to get the extension working. So if you could make a simple patch that just worked, maybe you'd have success, but I'm not sure you'll find the support needed given that I'm pretty sure:

  1. it would be a fairly involved patch that would require some refactoring of what's already there
  2. it's a pretty sensitive area that would require very thorough review
  3. the extension "mostly works" but it's a bit hacky in a few areas (including lack of support for Firefox Sync) and these would almost certainly need to be fixed if it was being added to the core product and go out to millions of users

I struggle to find time to even maintain the current extension at the moment, so even if I was confident it would be accepted, there's just no way I have time at the moment to rewrite it and take it through the process of getting it approved and integrated. :( I'm happy to offer what advice I can to anyone else who wants to try, though...

hraban commented 6 years ago

Looking at that bug in Mozilla, it's pretty clear it won't be fixed in this decade. They've recently restricted comments to contributors. I agree it would be the cleanest solution, but it doesn't look realistic, for now.

I'll add my explicit (useless) +1 here; this plugin was a great "DIY" alternative to password managers like 1password.

OznipSlaugh commented 6 years ago

Considering the current bugs, it'd be really good to get this working for people, or is there an alternative?

And I would be more than happy to put money into a patreon or kofi for this

sbwoodside commented 6 years ago

Two thoughts.

  1. Is complete control over the login manager required? If Firefox provided an API to allow third parties to merely provide passwords, that would at least allow the use of Keychain passwords in FF. What I mean is, it's not necessary to read/write the passwords stored in FF, merely to read/write the password entry fields. That difference would decrease the security implications for FF.

    Or maybe I'm covering already-covered ground. Would the logins API provide that much functionality?

  2. Perhaps it would be a good idea to coordinate with the other affected parties. For example, see:

Gnome:

KDE:

josuedanielbust commented 6 years ago

I'm backing to Mozilla Firefox (After some months) and I was searching this extension cuz I really love it and see still are problems 😢 I don't know too much about mozilla core but if is needed support or put money I can try to help with a donation.

sbwoodside commented 6 years ago

See also: https://bugs.chromium.org/p/chromium/issues/detail?id=466638

aalonzi commented 5 years ago

Hi, There are updates?

griswolf commented 5 years ago

Finally finished breaking w/ Thunderbird 60. Is there any hope?

jfitzell commented 5 years ago

Just had a quick skim of the Firefox bugs and don't see any progress, so no hope really, no. I'm thinking of going to LastPass (for my not super sensitive passwords)

bkimmett commented 5 years ago

[sigh] Yeah. If you want to keep going despite that, your best bet is getting involved in the Firefox development process, specifically WebExtensions committees, and making noise (advocating) for login manager (nsiLoginManager/nsiLoginManagerStorage) support in Firefox. As it is new, the bureaucratic process is stalled with several parts waiting on others. It needs someone to ask questions...

griswolf commented 5 years ago

I'm too old to start this particular slog again for something that is only "nice", not "necessary". Sigh. I have been using LastPass for my normal-sensitive passwords for a decade or so. Does jack squat for Thunderbird, though. Also a little klunky for some web pages, though it just works in various browsers well over 95% of the time... and the price is right.

scrutinizer11 commented 5 years ago

With all said above in mind do I understand correctly the add-on development is stopped? I'm one of those "million users" and signed up to GitHub only to ask here since KSI was necessary because I run an old OS X and, unfortunately, can't rely on Safari. I need integration with Waterfox that is based on Firefox 56.2.5 ESR. I checked the add-on's FF page, it's been removed. Does that mean it won't be updated any more?

jfitzell commented 5 years ago

Afraid so – there's currently no way I know of to implement it as an extension. It looks like Mozilla have taken down the add-on page and I can't immediately see any way to make it visible again.

If you're using an old version that still supports native extensions, you can still download the last release from here and install it manually.

scrutinizer11 commented 4 years ago

Thanks for kicking this off. I'm skeptical they'll add it, but let's see what happens!

(I've added a comment to https://bugzilla.mozilla.org/show_bug.cgi?id=1344788)

Jesus, using Firefox on all of my macOSes, need it so badly. I'm using Keychain Access on a routine basis, manually adding passwords, so that when I clear everything in the browser, my logins are still intact. I read the thread (and, in fact, discovered posting myself here almost 1,5 years ago), but still dare to ask, has smth changed since then? Has Mozilla reinstated some of the necessary APIs in the new form? Any chances this valuable extension will get a new life? I'm now using FF Legacy and FF 75 on all of the macOSes I run, also I'm using an old Tor browser on Lion, that's the only place where KSI can be installed in.

jfitzell commented 4 years ago

Not that I know of, no. :(

On Thu, 23 Apr 2020, 6:21 pm scrutinizer11, notifications@github.com wrote:

Thanks for kicking this off. I'm skeptical they'll add it, but let's see what happens!

(I've added a comment to https://bugzilla.mozilla.org/show_bug.cgi?id=1344788)

Jesus, using Firefox on all of my macOSes, need it so badly. I'm using Keychain Access on a routine basis, manually adding passwords, so that when I clear everything in the browser, my logins are still intact. I read the thread (and, in fact, discovered posting myself here almost 1,5 years ago), but still dare to ask, has smth changed since then? Has Mozilla reinstated some of the necessary APIs in the new form? Any chances this valuable extension will get a new life? I'm now using FF Legacy and FF 75 on all of the macOSes I run, also I'm using an old Tor browser on Lion, that's the only place where KSI can be installed in.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/jfitzell/mozilla-keychain/issues/88#issuecomment-618530852, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAVPHVQNCXU2PTV65Y23XI3ROB2KFANCNFSM4DKPL3TA .

bkimmett commented 4 years ago

As things currently stand, Firefox has changed its password storage system so that passwords are encrypted in some way that ties in to the associated user account's password. The passwords don't show up in the keychain, but I have to type in my account password to see them.

Mozilla calls this 'Firefox Lockwise' - relevant repositories are here: https://github.com/mozilla-lockwise

In most recent versions of Firefox, the browser interface for the password store can be accessed from about:logins.