You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+28-4Lines changed: 28 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -31,9 +31,11 @@ In order to use Browserpass you must also install a [companion native messaging
31
31
-[Requested permissions](#requested-permissions)
32
32
-[FAQ](#faq)
33
33
-[How to use the same username and password pair on multiple domains](#how-to-use-the-same-username-and-password-pair-on-multiple-domains)
34
+
-[Why Browserpass on Firefox does not work on Mozilla domains?](#why-browserpass-on-firefox-does-not-work-on-mozilla-domains)
34
35
-[Why is OTP not supported?](#why-is-otp-not-supported)
35
-
-[Hints for macOS users](#hints-for-macos-users)
36
-
-[Hints for NixOS / Nix users](#hints-for-nixos--nix-users)
36
+
-[Building the extension](#building-the-extension)
37
+
-[Build locally](#build-locally)
38
+
-[Load an unpacked extension](#load-an-unpacked-extension)
37
39
-[Contributing](#contributing)
38
40
39
41
## Requirements
@@ -281,7 +283,7 @@ Browserpass extension requests the following permissions:
281
283
| `activeTab` | To get URL of the current tab, used for example to determine which passwords to show you by default in the popup |
282
284
| `alarms` | To set a timer for clearing the clipboard 60 seconds after credentials are copied |
283
285
| `tabs` | To get URL of a given tab, used for example to set count of the matching passwords for a given tab |
284
-
| `clipboardRead` | To ensure only copied credentials and not other content is cleared from the clipboard after 60 seconds |
286
+
| `clipboardRead` | To ensure only copied credentials and not other content is cleared from the clipboard after 60 seconds |
285
287
| `clipboardWrite` | For "Copy password" and "Copy username" functionality |
286
288
| `nativeMessaging` | To allow communication with the native app |
287
289
| `notifications` | To show browser notifications on install or update |
@@ -302,6 +304,28 @@ The second option is to create a symlink file `amazon.co.uk.gpg` pointing to `am
302
304
303
305
If you simply want to re-use the same credentials on multiple subdomains of the same domain (e.g. `app.example.com` and `wiki.example.com`), you can also rename your password entry to a common denominator of the two subdomains, which in this example would be `example.com.gpg` (see [Password matching and sorting](#password-matching-and-sorting)).
304
306
307
+
### Why Browserpass on Firefox does not work on Mozilla domains?
308
+
309
+
Firefox has decided to [block all extensions from injecting any content scripts on their domains](https://developer.mozilla.org/en-US/docs/Mozilla/Add-ons/WebExtensions/Content_scripts), sadly there's nothing we can do about it.
310
+
311
+
The full list of blocked domains at the time of writing is:
312
+
313
+
- accounts-static.cdn.mozilla.net
314
+
- accounts.firefox.com
315
+
- addons.cdn.mozilla.net
316
+
- addons.mozilla.org
317
+
- api.accounts.firefox.com
318
+
- content.cdn.mozilla.net
319
+
- content.cdn.mozilla.net
320
+
- discovery.addons.mozilla.org
321
+
- input.mozilla.org
322
+
- install.mozilla.org
323
+
- oauth.accounts.firefox.com
324
+
- profile.accounts.firefox.com
325
+
- support.mozilla.org
326
+
- sync.services.mozilla.com
327
+
- testpilot.firefox.com
328
+
305
329
### Why is OTP not supported?
306
330
307
331
Tools like `pass-otp` make it possible to use `pass` for generating OTP codes, however keeping both passwords and OTP URI in the same location diminishes the major benefit that OTP is supposed to provide: two factor authentication. The purpose of multi-factor authentication is to protect your account even when attackers gain access to your password store, but if your OTP seed is stored in the same place, all auth factors will be compromised at once. In particular, Browserpass has access to the entire contents of your password entries, so if it is ever compromised, all your accounts will be at risk, even though you signed up for 2FA.
@@ -310,7 +334,7 @@ Browserpass is opinionated, it does not promote `pass-otp` and intentionally doe
310
334
311
335
There are valid scenarios for using `pass-otp` (e.g. it gives protection against intercepting your password during transmission), but users are strongly advised to very carefully consider whether `pass-otp` is really an appropriate solution - and if so, come up with their own ways of accessing OTP codes that conforms to their security requirements (for example by using dmenu/rofi scripts). For the majority of people `pass-otp` is not recommended; using any phone app like Authy will be a much better and more secure alternative, because this way attackers would have to not only break into your password store, but they would _also_ have to break into your phone.
312
336
313
-
Going forward, OTP support will be provided via a [separate extension](https://github.com/browserpass/browserpass-extension/issues/76). That extension will integrate with browserpass to ensure a streamlined workflow - if the OTP extension is installed, it will be automatically triggered when browserpass fills an entry and an OTP token is present.
337
+
If you still want the OTP support, it is provided via a separate extension [browserpass-otp](https://github.com/browserpass/browserpass-otp). That extension integrates with Browserpass to ensure a streamlined workflow, for example if the OTP extension is installed, it will be automatically triggered when Browserpass fills an entry and an OTP token is present.
0 commit comments