Open Grundik opened 2 weeks ago
This is a difficult one. The extension already injects the passkeys script immediately to the tab. If the site itself triggers some script before that which calls the browser's own passkeys implementation, there might be no way to prevent it.
But, AFAIK there are few different options when to trigger content scripts, and currently the default value is to wait for the page content to be loaded. For passkeys the script could be modified to be loaded much earlier. Gotta investigate it.
It could be easier to reproduce with gitlab, if you have own instance: you can try to add passkey to your account, and try to enter admin mode. Second factor authentication asked at the page loading, so keepass misses it too. But gitlab has "try again" button, which works without page reloading, so second try would work fine.
I did some testing with this. Moved the passkeys inject function to a separate script so it's immediately loaded at document_start
. With Firefox this worked great. With Microsoft site there was no problems creating a new passkey, and it was the same with GitLab. Chrome however did not work any better, and creating a passkey for Microsoft failed every time. GitLab still required the "try again" method with GitLab when using Chrome.
Gotta investigate this further.
Expected Behavior
Keepass plugin should have a precedence over browser internal passkey mechanisms. When site asks for passkey on its loading, keepass should catch it first, and then fallback to browser in case of missed credentials.
Current Behavior
Internal browser passkey mechanisms have precedence, if page asks for passkey immediately after load: only after browser popup closed, and passkey request reinitiated (without page reload), keepass can do its thing.
On some sites "try again" link reloads the page, making keepass passkeys inaccessible, since it in this case it never has a chance. For example: microsoft.com.
Possible Solution
If it is possible, keepass browser plugin should initialize its mechanisms earlier, to take precedence over browser.
Steps to Reproduce (for bugs)
Debug info
KeePassXC - 2.7.9 (flatpak) KeePassXC-Browser - 1.9.3 Operating system: Linux x86_64 Browser: Chrome/Chromium 128.0.0.0 (flatpak ungoogled chromium)