Skip to content

Commit

Permalink
Merge branch 'main' into patch-1
Browse files Browse the repository at this point in the history
  • Loading branch information
rmondello committed Oct 7, 2024
2 parents 90aba51 + c077def commit 45764ea
Show file tree
Hide file tree
Showing 18 changed files with 1,596 additions and 56 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -3,8 +3,8 @@
def process_file(file_path)
shared_websites = JSON.parse File.read(file_path)
shared_websites_sorted = shared_websites.sort do |a, b|
a_string = a["shared"] ? a["shared"].first : (a["from"] ? a["from"].first : "")
b_string = b["shared"] ? b["shared"].first : (b["from"] ? b["from"].first : "")
a_string = a["shared"] || a["from"] || [""]
b_string = b["shared"] || b["from"] || [""]
a_string <=> b_string
end

Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ jobs:
run: ruby .github/workflows/lint-scripts/websites-shared-credentials-sort-order.rb
- name: Lint Duplicates
run: ruby .github/workflows/lint-scripts/websites-shared-credentials-duplicates.rb
- name: Verify Generated Files
run: ruby tools/convert-shared-credential-to-legacy-format.rb --verify

validate-schemas:
runs-on: ubuntu-latest
Expand Down
12 changes: 12 additions & 0 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,14 +51,26 @@ Each entry in [`quirks/shared-credentials.json`](quirks/shared-credentials.json)

When contributing or amending a set of websites sharing a credential backend, you should state why you believe the relevant domains do or do not share a credential backend, with evidence to support your claim. This may involve WHOIS information or content served from the domains themselves.

[`quirks/websites-with-shared-credential-backends.json`](quirks/websites-with-shared-credential-backends.json) contains a lower fidelity version of the data in [`quirks/shared-credentials.json`](quirks/shared-credentials.json) and [`quirks/shared-credentials-historical.json`](quirks/shared-credentials-historical.json). It must be regenerated using [`tools/convert-shared-credential-to-legacy-format.rb`](tools/convert-shared-credential-to-legacy-format.rb) whenever those files are changed. Please do not edit [`quirks/websites-with-shared-credential-backends.json`](quirks/websites-with-shared-credential-backends.json) manually.

### Contributing a Change Password URL

Use the website in question until you find the standalone page for updating the user's password, or a high-level "Account Information" or "Security" page. The closer the URL takes the user to be able to change their password, the better. Before adding a URL, ensure that it works properly both when the user is logged in and when they are not. URLs added to [`quirks/change-password-URLs.json`](quirks/change-password-URLs.json) should have a scheme of https unless the website does not allow changing the password on an https page.

### Contributing to Apple Application IDs to Domains that Share Credentials

On macOS, for app bundle `Example.app`, you can find the App ID by dumping its entitlements with `codesign -d --entitlements - --xml path/to/Example.app`. Its App ID is the value in the XML for key `com.apple.application-identifier`. For macOS apps in particular, if there is no App ID present, the effective App ID is the app's Bundle Identifier (`CFBundleIdentifier` in the app's `Info.plist`).

When contributing or amending a set of websites for an App ID, you should state why you believe the domains do share a credential backend with the app, with evidence to support your claim.

### Contributing to Websites Where 2FA Code is Appended to Password

When contributing or amending a set of websites that require that the user append a generated code to their password when signing in, you should state why you believe the relevant domains require such. This may involve citing a URL to the relevant support page for the website.

### Contributing to Websites That Ask for Credentials for Other Services When Embedded as Third-party

When contributing or amending the list of websites that when embedded as a third party, are known to ask for credentials for other services, you should provide evidence that the given website or websites behaves this way. This may involve a screenshot or steps to navigate a website to observe a subframe behaving this way.

### Contributing a New Kind of Quirk or Other Resource

If you have a new type of quirk or another resource, that you feel that other password managers could use to improve users' experiences and make password management more attractive for people who aren't using a password manager, please [reach out](mailto:password-manager-resources-maintainers@apple.com) to this project's maintainers at Apple so we can discuss the details.
Expand Down
2 changes: 1 addition & 1 deletion LICENSE.md
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
Copyright 2020 - 2022 Apple Inc.
Copyright 2020 - 2024 Apple Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

Expand Down
22 changes: 21 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,29 @@ The [Contributing](CONTRIBUTING.md) document goes into detail on the format of t

The file [`quirks/change-password-URLs.json`](quirks/change-password-URLs.json) contains a JSON object mapping domains to URLs where users can change their password. This is the quirks version of the [Well Known URL for Changing Passwords](https://github.com/w3c/webappsec-change-password-url). If a website adopts the Change Password URL, it should be removed from this list.

### Apple App IDs to Domains that Share Credentials

The file [`apple-appIDs-to-domains-shared-credentials.json`](quirks/apple-appIDs-to-domains-shared-credentials.json) expresses relationships between apps running on macOS, iOS, and iPadOS, and domains that use the same credentials. Information in this file is used by iOS and iPadOS (since version 17.4) and macOS (since version 14.4) for suggesting credentials in apps that do not have an [association with domains](https://developer.apple.com/documentation/xcode/supporting-associated-domains). The system AutoFill capability makes use of this information to improve the user experience of signing into these apps by giving users inline suggestions of the appropriate credentials when signing in. This works for all password managers that make use of the [Credential Provider Extension](https://support.apple.com/guide/security/credential-provider-extensions-sec6319ac7b9/web) mechanism.

The JSON file is a map from [App Identifier](https://developer.apple.com/help/account/manage-identifiers/register-an-app-id/) to an array of domains. Domains should be ordered by prominence from most prominent to least. The apps do not need to be distributed on Apple's App Store.

### Web Browser Extension Distribution Information

The file [`web-browser-extension-distribution-information.json`](quirks/web-browser-extension-distribution-information.json) expresses relationships between web browsers and web browser extension storefronts.

This information may be useful to any password manager with a web browser extension for the purpose of discovering installed web browsers where a user may want to install the password manager's extension.

Information in this file is re-packaged by Apple for use in macOS Sequoia version 15.1 and above to limit the [Native Messaging Host](https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging) of the iCloud Passwords extension to only communicate with known web browsers.

### Websites Where 2FA Code is Appended to Password

The file [`quirks/websites-that-append-2fa-to-password.json`](quirks/websites-that-append-2fa-to-password.json) contains a JSON array of domains which use a two-factor authentication scheme where the user must append a generated code to their password when signing in. This list of websites could be used to prevent auto-submission of signin forms, allowing the user to append the 2FA code without frustration. It can also be used to suppress prompting to update a saved password when the submitted password is prefixed by the already-stored password.
The file [`quirks/websites-that-append-2fa-to-password.json`](quirks/websites-that-append-2fa-to-password.json) contains a JSON array of domains which use a two-factor authentication scheme where the user must append a generated code to their password when signing in. This list of websites could be used to prevent auto-submission of sign-in forms, allowing the user to append the 2FA code without frustration. It can also be used to suppress prompting to update a saved password when the submitted password is prefixed by the already-stored password.

### Websites That Ask for Credentials for Other Services When Embedded as Third-party

The file [`quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json`](quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json) contains a JSON array of domains that, when embedded as a third party, are known to ask for credentials for other services. For example, some payment processors conduct transactions by being embedded in an `<iframe>` on a website. These payment processors may ask for banking credentials directly, without using OAuth.

A password manager may wish to not offer to save a new password submitted in such an `<iframe>`, because the credentials are likely to not be for the service itself.

## Contributing

Expand Down
79 changes: 79 additions & 0 deletions quirks/apple-appIDs-to-domains-shared-credentials.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
{
"P7SDVXUZPK.com.etrade.mobileproiphone": [
"etrade.com"
],
"PPTA7G59L3.com.kpcu.architectmobile": [
"kpcu.com"
],
"KPSFBM8T3Z.com.optum.mobile.OptumBank": [
"myuhc.com"
],
"KPSFBM8T3Z.com.optumhealth.mobile.OptumRX": [
"myuhc.com"
],
"UF8VKHMLML.com.uhg.mobile.uhc": [
"myuhc.com"
],
"LJU5B5SR84.com.educationalccu.mobile": [
"onlinebank.com"
],
"T5W6CQA35T.com.fis.447iPhoneSUB": [
"cit.com"
],
"L6F2ZQ2MJV.com.metlife.us.business": [
"access.online.metlife.com",
"identity.metlife.com"
],
"QDZLSW3Z22.com.leviton.home": [
"leviton.com"
],
"3976U676H6.com.allegion.sense.store": [
"schlage.com"
],
"G4K4BQ7S8J.com.backblaze.BzBackupBrowser": [
"backblaze.com"
],
"J983T9Z6T6.com.birdbuddy.app": [
"mybirdbuddy.com"
],
"M3Q8QUH343.com.getmysa.mysa": [
"getmysa.com"
],
"ZRZ3QJN79B.com.dyson.dysonlink": [
"dyson.com"
],
"com.backblaze.BackblazeDownloader": [
"backblaze.com"
],
"K65HQ235M5.org.sutterhealth.myhealthonline": [
"sutterhealth.org"
],
"T9984LC44E.com.whisker.ios": [
"litter-robot.com"
],
"K832E2UXV7.com.riotgames.mobile.leagueconnect": [
"riotgames.com"
],
"GN78YB727N.com.namecheap.iosapp": [
"namecheap.com"
],
"8MQ82YZW32.com.travefy.go": [
"travefy.com"
],
"39FN7MD5NR.com.elation.patientpassport": [
"elationpassport.com"
],
"XUD5XM3X2G.com.vail.EpicMix": [
"epicpass.com"
],
"UPS7472725.com.metrolinx.presto.ios.consumerapp": [
"prestocard.ca"
],
"PX369MG78T.com.dmdbrands.balancehealth": [
"greatergoods.com"
],
"498RNR3HN7.com.tdbank.iphoneapp": [
"td.com",
"tdbank.com"
]
}
Loading

0 comments on commit 45764ea

Please sign in to comment.