A recent version of the Chrome extension (later than 4.130.2, I was only able to test on 4.133.0) has a change in DOM manipulation logic that breaks an application I'm working on. Previously, the LastPass logo buttons ("...|" <- this guy) would render as a final sibling to relevant input elements (email, password etc). In recent version(s), this element is now injected as the first subsequent sibling.
My application uses a language called Elm; its app framework has an index basis for VDOM-diffing. When extensions inject final elements (as the LastPass Firefox extension and most other password managers do), this is no problem for us:
- input element <- tracked by Elm
- "show password" button <- tracked by Elm
- lastpass button <- ignored by Elm
But in the case of the Chrome extension:
- input element <- tracked by Elm
- lastpass button <- tracked by Elm (!)
- "show password" button <- ignored by Elm (!)
which leads to some nasty runtime errors once VDOM-diffing gets applied.
You can probably imagine some so-so mitigations for this, but I'm concerned that assumes I understand the extension's behavior accurately, and that this behavior will be stable across versions and across browsers going into the future. Given that "when possible, treat elements lists as append-only" is a common extension convention, I'm wondering if that could be restored and nailed down here? Or if not, some public documentation that details exactly what the logic is so that we can have a reliable mitigation for it. That way we can continue to support LastPass on our page.
Long read, thanks for your time!
