Merge branch 'apple:main' into main

.github/workflows/lint-scripts/websites-shared-credentials-sort-order.rb

@@ -3,8 +3,8 @@
 def process_file(file_path)
   shared_websites = JSON.parse File.read(file_path)
   shared_websites_sorted = shared_websites.sort do |a, b|
-    a_string = a["shared"] ? a["shared"].first : (a["from"] ? a["from"].first : "")
-    b_string = b["shared"] ? b["shared"].first : (b["from"] ? b["from"].first : "")
+    a_string = a["shared"] || a["from"] || [""]
+    b_string = b["shared"] || b["from"] || [""]
     a_string <=> b_string
   end
 

CONTRIBUTING.md

@@ -57,10 +57,20 @@ When contributing or amending a set of websites sharing a credential backend, yo
 
 Use the website in question until you find the standalone page for updating the user's password, or a high-level "Account Information" or "Security" page. The closer the URL takes the user to be able to change their password, the better. Before adding a URL, ensure that it works properly both when the user is logged in and when they are not. URLs added to [`quirks/change-password-URLs.json`](quirks/change-password-URLs.json) should have a scheme of https unless the website does not allow changing the password on an https page.
 
+### Contributing to Apple Application IDs to Domains that Share Credentials
+
+On macOS, for app bundle `Example.app`, you can find the App ID by dumping its entitlements with `codesign -d --entitlements - --xml path/to/Example.app`. Its App ID is the value in the XML for key `com.apple.application-identifier`. For macOS apps in particular, if there is no App ID present, the effective App ID is the app's Bundle Identifier (`CFBundleIdentifier` in the app's `Info.plist`).
+
+When contributing or amending a set of websites for an App ID, you should state why you believe the domains do share a credential backend with the app, with evidence to support your claim.
+
 ### Contributing to Websites Where 2FA Code is Appended to Password
 
 When contributing or amending a set of websites that require that the user append a generated code to their password when signing in, you should state why you believe the relevant domains require such. This may involve citing a URL to the relevant support page for the website.
 
+### Contributing to Websites That Ask for Credentials for Other Services When Embedded as Third-party
+
+When contributing or amending the list of websites that when embedded as a third party, are known to ask for credentials for other services, you should provide evidence that the given website or websites behaves this way. This may involve a screenshot or steps to navigate a website to observe a subframe behaving this way.
+
 ### Contributing a New Kind of Quirk or Other Resource
 
 If you have a new type of quirk or another resource, that you feel that other password managers could use to improve users' experiences and make password management more attractive for people who aren't using a password manager, please [reach out](mailto:[email protected]) to this project's maintainers at Apple so we can discuss the details.

README.md

@@ -53,9 +53,21 @@ The [Contributing](CONTRIBUTING.md) document goes into detail on the format of t
 
 The file [`quirks/change-password-URLs.json`](quirks/change-password-URLs.json) contains a JSON object mapping domains to URLs where users can change their password. This is the quirks version of the [Well Known URL for Changing Passwords](https://github.com/w3c/webappsec-change-password-url). If a website adopts the Change Password URL, it should be removed from this list.
 
+### Apple App IDs to Domains that Share Credentials
+
+The file [`apple-appIDs-to-domains-shared-credentials.json`](quirks/apple-appIDs-to-domains-shared-credentials.json) expresses relationships between apps running on macOS, iOS, and iPadOS, and domains that use the same credentials. Information in this file is used by iOS and iPadOS (since version 17.4) and macOS (since version 14.4) for suggesting credentials in apps that do not have an [association with domains](https://developer.apple.com/documentation/xcode/supporting-associated-domains). The system AutoFill capability makes use of this information to improve the user experience of signing into these apps by giving users inline suggestions of the appropriate credentials when signing in. This works for all password managers that make use of the [Credential Provider Extension](https://support.apple.com/guide/security/credential-provider-extensions-sec6319ac7b9/web) mechanism.
+
+The JSON file is a map from [App Identifier](https://developer.apple.com/help/account/manage-identifiers/register-an-app-id/) to an array of domains. Domains should be ordered by prominence from most prominent to least. The apps do not need to be distributed on Apple's App Store.
+
 ### Websites Where 2FA Code is Appended to Password
 
-The file [`quirks/websites-that-append-2fa-to-password.json`](quirks/websites-that-append-2fa-to-password.json) contains a JSON array of domains which use a two-factor authentication scheme where the user must append a generated code to their password when signing in. This list of websites could be used to prevent auto-submission of signin forms, allowing the user to append the 2FA code without frustration. It can also be used to suppress prompting to update a saved password when the submitted password is prefixed by the already-stored password.
+The file [`quirks/websites-that-append-2fa-to-password.json`](quirks/websites-that-append-2fa-to-password.json) contains a JSON array of domains which use a two-factor authentication scheme where the user must append a generated code to their password when signing in. This list of websites could be used to prevent auto-submission of sign-in forms, allowing the user to append the 2FA code without frustration. It can also be used to suppress prompting to update a saved password when the submitted password is prefixed by the already-stored password.
+
+### Websites That Ask for Credentials for Other Services When Embedded as Third-party
+
+The file [`quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json`](websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json) contains a JSON array of domains that, when embedded as a third party, are known to ask for credentials for other services. For example, some payment processors conduct transactions by being embedded in an `<iframe>` on a website. These payment processors may ask for banking credentials directly, without using OAuth.
+
+A password manager may wish to not offer to save a new password submitted in such an `<iframe>`, because the credentials are likely to not be for the service itself.
 
 ## Contributing
 

quirks/apple-appIDs-to-domains-shared-credentials.json

@@ -0,0 +1,66 @@
+{
+    "P7SDVXUZPK.com.etrade.mobileproiphone": [
+        "etrade.com"
+    ],
+    "PPTA7G59L3.com.kpcu.architectmobile": [
+        "kpcu.com"
+    ],
+    "KPSFBM8T3Z.com.optum.mobile.OptumBank": [
+        "myuhc.com"
+    ],
+    "KPSFBM8T3Z.com.optumhealth.mobile.OptumRX": [
+        "myuhc.com"
+    ],
+    "UF8VKHMLML.com.uhg.mobile.uhc": [
+        "myuhc.com"
+    ],
+    "LJU5B5SR84.com.educationalccu.mobile": [
+        "onlinebank.com"
+    ],
+    "T5W6CQA35T.com.fis.447iPhoneSUB": [
+        "cit.com"
+    ],
+    "L6F2ZQ2MJV.com.metlife.us.business": [
+        "access.online.metlife.com",
+        "identity.metlife.com"
+    ],
+    "QDZLSW3Z22.com.leviton.home": [
+        "leviton.com"
+    ],
+    "3976U676H6.com.allegion.sense.store": [
+        "schlage.com"
+    ],
+    "G4K4BQ7S8J.com.backblaze.BzBackupBrowser": [
+        "backblaze.com"
+    ],
+    "J983T9Z6T6.com.birdbuddy.app": [
+        "mybirdbuddy.com"
+    ],
+    "M3Q8QUH343.com.getmysa.mysa": [
+        "getmysa.com"
+    ],
+    "ZRZ3QJN79B.com.dyson.dysonlink": [
+        "dyson.com"
+    ],
+    "com.backblaze.BackblazeDownloader": [
+        "backblaze.com"
+    ],
+    "K65HQ235M5.org.sutterhealth.myhealthonline": [
+        "sutterhealth.org"
+    ],
+    "T9984LC44E.com.whisker.ios": [
+        "litter-robot.com"
+    ],
+    "K832E2UXV7.com.riotgames.mobile.leagueconnect": [
+        "riotgames.com"
+    ],
+    "GN78YB727N.com.namecheap.iosapp": [
+        "namecheap.com"
+    ],
+    "8MQ82YZW32.com.travefy.go": [
+        "travefy.com"
+    ],
+    "39FN7MD5NR.com.elation.patientpassport": [
+        "elationpassport.com"
+    ]
+}

quirks/password-rules.json

@@ -260,6 +260,9 @@
     "dmm.com": {
         "password-rules": "minlength: 4; maxlength: 16; required: lower; required: upper; required: digit;"
     },
+    "dodgeridge.com": {
+        "password-rules": "minlength: 8; maxlength: 12; required: lower; required: upper; required: digit;"
+    },
     "dowjones.com": {
         "password-rules": "maxlength: 15;"
     },
@@ -917,6 +920,9 @@
     "udel.edu": {
         "password-rules": "minlength: 12; maxlength: 30; required: lower; required: upper; required: digit; required: [!@#$%^&*()+];"
     },
+    "umterps.evenue.net": {
+        "password-rules": "minlength: 4; maxlength: 12;"
+    },
     "user.ornl.gov": {
         "password-rules": "minlength: 8; maxlength: 30; max-consecutive: 3; required: lower, upper; required: digit; allowed: [!#$%./_];"
     },

quirks/schemas/apple-appIDs-to-domains-shared-credentials-schema.json

@@ -0,0 +1,10 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "type": "object",
+  "additionalProperties": {
+    "type": "array",
+    "items": {
+      "type": "string"
+    }
+  }
+}

quirks/schemas/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party-schema.json

@@ -0,0 +1,8 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "type": "array",
+  "uniqueItems": true,
+  "items": {
+    "type": "string"
+  }
+}

quirks/shared-credentials-historical.json

@@ -554,12 +554,6 @@
             "superuser.com"
         ]
     },
-    {
-        "shared": [
-            "steampowered.com",
-            "steamcommunity.com"
-        ]
-    },
     {
         "shared": [
             "telekom-dienste.de",

quirks/shared-credentials.json

@@ -170,6 +170,12 @@
             "shopdisney.com"
         ]
     },
+    {
+        "shared": [
+            "dnt.abine.com",
+            "ironvest.com"
+        ]
+    },
     {
         "shared": [
             "ebay.at",
@@ -228,6 +234,15 @@
             "eventbrite.sg"
         ]
     },
+    {
+        "from": [
+            "fancourier.ro"
+        ],
+        "to": [
+            "selfawb.ro"
+        ],
+        "fromDomainsAreObsoleted": true
+    },
     {
         "from": [
             "flyblade.com"
@@ -237,6 +252,16 @@
         ],
         "fromDomainsAreObsoleted": true
     },
+    {
+        "from": [
+            "gazduire.com.ro",
+            "gazduire.net"
+        ],
+        "to": [
+            "admin.ro"
+        ],
+        "fromDomainsAreObsoleted": true
+    },
     {
         "from": [
             "hbo.com",
@@ -377,6 +402,15 @@
             "simplifimoney.com"
         ]
     },
+    {
+        "from": [
+            "raywenderlich.com"
+        ],
+        "to": [
+            "kodeco.com"
+        ],
+        "fromDomainsAreObsoleted": true
+    },
     {
         "shared": [
             "redis.com",
@@ -398,6 +432,12 @@
         ],
         "fromDomainsAreObsoleted": true
     },
+    {
+        "shared": [
+            "steampowered.com",
+            "steamcommunity.com"
+        ]
+    },
     {
         "shared": [
             "taxhawk.com",
@@ -442,6 +482,15 @@
             "ussailing.org"
         ]
     },
+    {
+        "from": [
+            "wacom.eu"
+        ],
+        "to": [
+            "wacom.com"
+        ],
+        "fromDomainsAreObsoleted": true
+    },
     {
         "shared": [
             "wikipedia.org",

quirks/websites-that-ask-for-credentials-for-other-services-when-embedded-as-third-party.json

@@ -0,0 +1,3 @@
+[
+    "plaid.com"
+]

quirks/websites-with-shared-credential-backends.json

@@ -280,6 +280,10 @@
         "hulu.com",
         "shopdisney.com"
     ],
+    [
+        "dnt.abine.com",
+        "ironvest.com"
+    ],
     [
         "docusign.com",
         "docusign.net"
@@ -354,6 +358,10 @@
         "facebook.com",
         "messenger.com"
     ],
+    [
+        "fancourier.ro",
+        "selfawb.ro"
+    ],
     [
         "fandangonow.com",
         "fandango.com"
@@ -378,6 +386,11 @@
         "foursquare.com",
         "swarmapp.com"
     ],
+    [
+        "gazduire.com.ro",
+        "gazduire.net",
+        "admin.ro"
+    ],
     [
         "glassdoor.ca",
         "glassdoor.com",
@@ -601,6 +614,10 @@
         "quicken.com",
         "simplifimoney.com"
     ],
+    [
+        "raywenderlich.com",
+        "kodeco.com"
+    ],
     [
         "redis.com",
         "redislabs.com"
@@ -746,6 +763,10 @@
         "verizonwireless.com",
         "vzw.com"
     ],
+    [
+        "wacom.eu",
+        "wacom.com"
+    ],
     [
         "wayfair.com",
         "wayfair.ca",

tools/autoformat-json-files.rb

@@ -14,11 +14,21 @@
 Dir.glob('*.json').each do |file_path|
   relative_path = File.join("quirks", file_path)
 
+  # We don't sort this file alphabetically because there is no value in doing so.
+  next if relative_path == "quirks/apple-appIDs-to-domains-shared-credentials.json"
+
   begin
     original_file_contents = File.read(file_path)
     contents_as_object = JSON.parse(original_file_contents)
     if contents_as_object.is_a? Hash
       contents_as_object = contents_as_object.sort_by { |key| key }.to_h
+    elsif contents_as_object.is_a? Array and contents_as_object[0].is_a? Hash
+      contents_as_object = contents_as_object.sort do |first, second|
+        first_content = first["shared"] || first["from"] || [""]
+        second_content = second["shared"] || second["from"] || [""]
+
+        first_content <=> second_content
+      end
     else
       contents_as_object = contents_as_object.sort
     end