Rated 4 out of 5 stars

by Firefox user 3437a3 on June 30, 2012 ·

I like it very much! This is a key feature to make Firefox much more fun in OSX!

Questions:
1) Does Firefox not use it's own password storage anymore?
2) How save is this extension? Does it itself ever see the password or is all of this handled by the OSX keychain services?

This review is for a previous version of the add-on (1.1.3.1-signed.1-signed). 

by Julian Fitzell (Developer) on June 30, 2012 ·

1) The original password storage is basically left alone so that it's still there if you disable the extension. I should probably add a button somewhere to erase it but have never got around to it. If no matching passwords are found in the Keychain, it does make an effort to fall through to the legacy storage; also passwords for non-standard protocols (i.e. for Mozilla Sync) are stored there because more work would be needed to find a way to store them in the Keychain.
2) Firefox (via the extension) has access to any passwords to which you "Allow" access from the operating system. OS X prevents apps from accessing other passwords (though all the other fields in the keychain are publicly readable by all). It's not a token system like Kerberos, so the applications *do* see the passwords. Code running inside web pages should not have access to the keychain since the Mozilla engine only grants code running as an extension enough privileges to do so.

Hope that helps.