You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Apr 16, 2026. It is now read-only.
Credentials stored as plain text in the connector's in-memory config
Required work
Enforce HTTPS: reject origins without https:// scheme (with an explicit dev-mode override for http://localhost)
Validate CSS selectors: parse selectors to confirm they're syntactically valid CSS before accepting the configuration
Remove hardcoded default selectors: require explicit selector configuration per origin — silent defaults are a footgun
Selector allowlisting: consider restricting selectors to ID and specific attribute patterns to prevent overly broad selectors that could fill unintended fields
Document the browser extension contract: what messages the extension sends, what the broker responds with, and the security properties of the channel
Summary
The browser connector accepts origins and selectors with minimal validation. For a credential fill system, the validation bar should be higher.
Current state
internal/connectors/browser/connector.go— validates origin as parseable URL, checks selectors are non-emptyinternal/bootstrap/service.go:113-114— hardcoded default CSS selectors (#username,#password)Required work
https://scheme (with an explicit dev-mode override forhttp://localhost)Files
internal/connectors/browser/connector.go— validation logicinternal/bootstrap/service.go— remove default selectors, require explicit configPriority
Medium.
🤖 Generated with Claude Code