Wikimedia Foundation has long been present in these datasets, which means passwords are generally auto-filled regardless of which Wikimedia Foundation-hosted wiki project you are logging in to.
The way this dataset works:
* For any listed domain, it and any subdomains of it, may share credential auto-fill.
* For other domains in the same array, also share credential auto-fill.
Note that `*.wikimedia.org` is not listed wholesale, because it is a generic domain that holds both wikis and non-wikis. The risk involved with listing it wholesale is low, and some password managers do actually list it as a wildcard. But, the Apple-maintained list does not, and that's a reasonable compromise.
Either way, given that **we are moving the login screen to a central domain** on `auth.wikimedia.org`, this means we have to add it to our domain set, so that existing users continue to get their credentails auto-filled.
```lang=json
{
"shared": [
"wikipedia.org",
"mediawiki.org",
"wikibooks.org",
"wikidata.org",
"wikinews.org",
"wikiquote.org",
"wikisource.org",
"wikiversity.org",
"wikivoyage.org",
"wiktionary.org",
"commons.wikimedia.org",
"meta.wikimedia.org",
"incubator.wikimedia.org",
"outreach.wikimedia.org",
"species.wikimedia.org",
"wikimania.wikimedia.org"
]
}
```
Per @matmarex, there is a seemingly collaborative dataset curated by Apple at <https://github.com/apple/password-manager-resources>. This initiative only started fairly recently, with "Wikimedia" added in 2020 with <https://github.com/apple/password-manager-resources/pull/200>. If enough browsers and standalone password managers use this dataset, we potentially only have to add it there, and then wait for others to update their copies.
https://github.com/apple/password-manager-resources/blob/main/quirks/shared-credentials.json
### Work
* [x] **Test**: Verify the above understanding, i.e. credentials are not already auto-filled somehow on auth.wikimedia.org today.
* [x] **Product**: Define which browsers and standalone password managers we care before the "main" SUL3 launch (post-group0).
* [x] **Research**: Determine which if any do not use the Apple dataset as their source.
* [x] **Submit**: Submit change request to https://github.com/apple/password-manager-resources
* [ ] **Test again**: Wait and verify that it works.
| Browser or pwd manager | Status | Source or process
|--|--
| WebKit |
| Firefox | //Apple dataset//, imported at [mozilla/gecko:/websites-with-shared-credential-backends.json](https://github.com/mozilla/gecko-dev/blob/master/services/settings/dumps/main/websites-with-shared-credential-backends.json) since 2021Safari | {icon check color=green} OK, per [bugzilla ticket 1687996](https://bugzilla.mozilla.org/show_bug.cgi?id=1687996) and as shown by recent bot commits.T384844#10621899 | //Apple dataset//
| Chromium |
| KeePassXCFirefox | {icon exclamation-triangle color=red} Broken, T384844#10621881 | //Apple dataset//, imported at [mozilla/gecko:/websites-with-shared-credential-backends.json](https://github.com/mozilla/gecko-dev/blob/master/services/settings/dumps/main/websites-with-shared-credential-backends.json) since 2021, per [bugzilla ticket 1687996](https://bugzilla.mozilla.org/show_bug.cgi?id=1687996) and as shown by recent bot commits.
| Google Chrome | {icon check color=green} OK, T385520 | Google Password Manager defaults to sharing between subdomains of the same project. Google provides the DAL specification share across other domains.
| Chromium | {icon ban color=grey} Unsupported | No Apple dataset, or other extendable registry or mechanism in Chromium open source.
| KeePassXC | {icon ban color=grey} Unsupported |
| Strongbox | /{icon check color=green} OK, T384844#10621899 | /Apple dataset//, imported at [Strongbox:/shared-credentials.json](https://github.com/strongbox-password-safe/Strongbox/blob/master/shared-credentials.json) since 2022 per [ApplePasswordManagerQuirks.swift](https://github.com/strongbox-password-safe/Strongbox/blob/3117fa76131ca756984586948110255ac4abdfc1/model/quirks/ApplePasswordManagerQuirks.swift).
| 1Password | ? | /Apple dataset//, per [employee](https://github.com/apple/password-manager-resources/pull/374), and [fork](https://github.com/1Password/password-manager-resources)
| 1Password | //Apple dataset//,| LastPass | ? per [employee](https://github.com/apple/password-manager-resources/pull/374), and [fork](https://github.com/1Password/password-manager-resources)| custom, according to a June 2020 [unofficial extraction](https://github.com/apple/password-manager-resources/pull/183#issuecomment-641594770) we're not yet on it. TODO: Verify and figure out process to get added.
| LastPass| Bitwarden | ? | custom, according to a June 2020 [unofficial extraction](https://github.com/apple/password-manager-resources/pull/183#issuecomment-641594770) we're not yet on it. TODO: Verify and figure out process to get added.[bitwarden/server:/StaticStore.cs](https://github.com/bitwarden/server/blob/411291b782966fe17f4e53cd9350d137dac5d7ae/src/Core/Utilities/StaticStore.cs#L88)
| Bitwarden | customDashlane | {icon exclamation-triangle color=red} Broken, T384844#10621881 | Dashlane's support docs claim that it shares Wikimedia credentials across our 11 domains, including `.wikimedia.org`. If true, [bitwarden/server:/StaticStore.cs](https://github.com/bitwarden/server/blob/411291b782966fe17f4e53cd9350d137dac5d7ae/src/Core/Utilities/StaticStore.cs#L88)we'd need no changes. However, this feature is broken.