Chore/credential migration

[RubenSmn]

New version of storing the credentials. Allows for storing the whole URL including, protocols and all subdomains.

The Migrator will run on startup check the version of the built-in store and updates the credentials to the new format if necessary.

For the migration it will

• check if a url matches any in the history, if yes, use that url, else
• check if the url already has a protocol if not, add https:// protocol
• finally store the new credentials and update the version

The same is done for the credentials that should never be saved

I've used the origin property of the URL since this one gives us the whole 'base' url so we don't need extra fields to save the protocol and subdomains.

[PalmerAL]

Thanks, I think this approach looks good generally. I haven't fully tested this yet, but a couple of initial comments:

• In the keychain import, the saved field is this: domain: new URL(domainWithProtocol).origin,, but in the migrator, the equivalent field is url: historyEntry.url. Is your intent to save an origin or a complete page URL? (I think origin should be fine)
• Doing this isn't secure: matchHost.replace('www.', '') === domain || matchHost === domain - imagine comparing "example.com" and "example.www.com". The www should be removed only if it appears at the start, immediately after a protocol.
• We'll need a change for Bitwarden as well (like I did here).

[RubenSmn]

Thanks for the feedback, I missed those first 2 points you mentioned 😅
Added the change for Bitwarden.

Let me know if I need to make more improvements!

[PalmerAL]

I left some more comments. Let me know if I read something incorrectly!

Due to the typo in ipc.handle, this branch actually crashes on launch when I try to run it. In addition to the comments, could you please make sure to test this on some passwords/sites of your own and confirm that everything works?

[PalmerAL]

Shouldn't we be saving an origin or a URL into currentDomain (which later gets passed to saveCredential)? With this way, I think we're not recording the protocol.

In my branch I addressed this by passing the entire URL into the manager: master...password-url-matching#diff-dfe869359e479c9fd76fbe8e10c5f46545b3ec71d7a029aafd096869489da6ed

[RubenSmn]

In the passwordFill.js we pass the origin part of the url instead of the hostname which will give us the whole base url https://sub.example.com and that should be sufficient for the saveCredential funtionality.

Maybe the domain variable name is a little confusing, perhaps it needs to be something like urlBase or urlOrigin

[PalmerAL]

Got it, sorry for the delay. It sounds like something with "origin" would be a better name then.

[PalmerAL]

We need to change saveCredential, right? As I mentioned in the comment on passwordCapture, it's only recording a domain still.

I think we should pass the whole URL into the manager, and then let the manager parse and save the origin: master...password-url-matching#diff-cead69e9db343b1d609e235d95b2610037795876bcd42860ebb620b78d9fa7ecR47

[PalmerAL]

The name of this field is domain in the import in keychain.js, so it needs to use the same name here. Or we could rename the field everywhere to origin, since that matches the new definition better.

[RubenSmn]

Good catch, we could migrate it to be url so we align with the other browsers' default?

[PalmerAL]

Sure, if you want to update the code to actually save the entire URL, that's fine too. If you want to just save the origin, then we should call the field origin.

[PalmerAL]

Same thing here: The name of this field is domain in the import in keychain.js, so it needs to use the same name here.