Wladimir Palant

Actually, an explicit `--firefox-apk-component org.mozilla.fenix.debug.App` works as well. This only fails when Fenix is compiled from source, not with the official Nightly.

Sounds good, with `client_id` being arbitrary and not meaningful. It might still be a good idea to extract the host from `redirect_uri`, with users often not being good at reading...

That's not how I read the code. But even if origins are being compared here, the origin `https://google.com.malicious.com` still starts with the origin `https://google.com`. Or are origins produced here slash-terminated?

Not really. The change looks good, but I was merely reading code without having an installation to test things.

In fact, I can see the same issue with `if..else` as well - the `else` block is misindented, as if it belonged to the outer `if` statement: ``` if (a)...

> Looking at the build logs versus https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Classes#browser_compatibility, the bug is obvious. Classes field support started in Node 12, but the .travis.yml file mandates testing against Node 6, 8, and...

I'm afraid that I'm not a big fan of the "hidden checkbox" approach - it introduces the same issues here as in #160.

As of PfP 3.0, we now use KeePass database format. Which means: any KeePass-compatible app can be used on Android, I no longer have to provide one.

PfP 3.0 no longer has sync functionality, sync can be done externally.

> fixed salt, which should be fine because preimage attacks against 72 bit passwords aren't feasible I might have been overly optimistic here. Fixed salt allows running this attack against...