keepassxc-browser icon indicating copy to clipboard operation
keepassxc-browser copied to clipboard
verified publisher icon keepassxreboot

Support extension-content-verification=enforce_strict

Open jasperweiss opened this issue 5 months ago • 6 comments

Have you searched for an existing issue?

  • [x] Yes, I tried searching and reviewed the pinned issues

Brief Summary

This issue may have some overlap with older issues related to the extension being disabled and marked as "corrupted" on certain configurations.

You can reproduce these issues by running chrome/chromium with --extension-content-verification=enforce_strict for a few days. You will eventually encounter this warning:

Image

This flag was introduced somewhere around 2014 and there is no intent-to-ship for making this the default at the moment. But those who would like to use this flag or those who use a browser that has it built-in are also likely to use KeePassXC.

I understand the usecase is niche and that non-default setups are generally unsupported, but the fix may not be too complicated. My guess is that KeePassXC-Browser modifies a file within itself at some point such that it no longer matches the manifest published in the chrome extension store, rather than writing it to the intended place to hold state.

Expected Versus Actual Behavior

The extension should not modify or add to it's own files in a way that causes a mismatch between the extension's files and the chrome extension store manifest.

Steps to Reproduce

Run chrome/chromium with --extension-content-verification=enforce_strict for a while.

KeePassXC-Browser Debug Information

N/A

jasperweiss avatar Sep 12 '25 14:09 jasperweiss

This may be better described as a feature request, since nothing is broken under the default chrome setup.

jasperweiss avatar Sep 12 '25 14:09 jasperweiss

Is there any relevant info behind the Details button when this happens?

varjolintu avatar Sep 13 '25 09:09 varjolintu

Not really, it just opens the extension's details page.

Image

jasperweiss avatar Sep 14 '25 12:09 jasperweiss

I made a list of hashes using hashdeep to find out what has been changed. But nothing appears to have changed within the extension, at least not permanently. Perhaps it's a temporary file?

$ hashdeep -avk baseline_hashes.txt -r .config/trivalent/Default/Extensions/oboonakemofpalcgghocfoadofidjkkk
hashdeep: Audit passed
          Files matched: 185
Files partially matched: 0
            Files moved: 0
        New files found: 0
  Known files not found: 0

jasperweiss avatar Sep 14 '25 13:09 jasperweiss

You cannot sideload extensions when this setting is passed. You must pull the extension from the chrome or edge store. I couldn't replicate this issue using Edge.

droidmonkey avatar Sep 14 '25 14:09 droidmonkey

We don't create any temporary files.

varjolintu avatar Sep 14 '25 17:09 varjolintu