How do you think Bitwarden could have handled this better?
An allowlist of domains where iframe autofill is allowed, pre-populated with some vetted examples like apple/icloud mentioned in the article?
At what point do user options trump accessibility? I tell my parents to use Bitwarden because it's more secure than their alternative (plaintext in Google Doc) but they have no idea what an iframe is or how to spot one. If I taught them they'd never remember because it something so seldom used. Password managers are written for an audience much larger than us. Such an option as suggested would be useless to them.
- odds of arbitrary malicious iframe being on login page seems vanishingly small, especially when a compromise of the login page is probably necessary before the iframe can be injected. How often can an iframe be injected but not arbitrary js?
- iframes having autofill should definitely be a sub option on such a feature.
Either way, also curious about other password managers and their behaviors here. TFA doesn't go into that, seems like a big omission.
For example, the iframe is inserted by an ad network the site owners trust, and the ad network in turn assumes fencing off a third-party ad selection or bot detection or whatever script into an iframe is sufficient isolation and doesn’t look at it all that hard (or maybe is not even permitted to for legal reasons).
Having an ad on the login page is not universal, but neither is it uncommon, and some websites just have a login form on every page.
An allowlist of domains where iframe autofill is allowed, pre-populated with some vetted examples like apple/icloud mentioned in the article?
At what point do user options trump accessibility? I tell my parents to use Bitwarden because it's more secure than their alternative (plaintext in Google Doc) but they have no idea what an iframe is or how to spot one. If I taught them they'd never remember because it something so seldom used. Password managers are written for an audience much larger than us. Such an option as suggested would be useless to them.
Maybe Bitwarden made the right choice here?