[PM-9388] Add new device type for DuckDuckGo browser

[trmartin4]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-9388

📔 Objective

We currently determine the Safari browser type based on the presence of Safari / in the User-Agent. Due to the fact that DDG is built on WebKit, it also has Safari / and is thus identified as such when viewing your devices.

This change adds a new DeviceType and uses the presence of Ddg in the User-Agent for the DuckDuckGo brower to identify it.

See bitwarden/server#5799 for the corresponding server changes.

⚠️ A side-effect of this change would be that any isSafari() checks will no longer return true for DuckDuckGo (as it's now classified as DuckDuckGo).

I opted to clean up these reference in a few different ways, to hopefully get rid of some debt:

• Deleted code: There were 2 places where we checked for isSafari() in which the methods do not appear to be used:
  • Send add-edit.component.ts
  • Secrets Manager secrets-list.component.ts
• Platform feature: The ApiService had logic to determine the type of client that was independent of the PlatformUtilsService. That felt not great, and I didn't want to just add DuckDuckGo to the list. So I pulled the check into a feature - supportsAutofill() - on the PlatformUtilsService and set to false for any platform except the browser extension. This reproduces the behavior of the check previously in the ApiService.

One additional note:
The prompt for browser extension install was left as-is, meaning that DuckDuckGo will no longer link to the Mac App Store, which I believe is correct. I've tagged Vault on this PR to make sure this is right.

📸 Screenshots

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[codecov]

Codecov Report

Attention: Patch coverage is 26.66667% with 11 lines in your changes missing coverage. Please review.

Project coverage is 36.50%. Comparing base (89be04a) to head (147ecd8).
Report is 104 commits behind head on main.

✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...pps/web/src/app/core/web-platform-utils.service.ts	40.00%	3 Missing ⚠️
...s/platform-utils/browser-platform-utils.service.ts	0.00%	2 Missing ⚠️
...rc/platform/services/cli-platform-utils.service.ts	0.00%	2 Missing ⚠️
...atform/services/electron-platform-utils.service.ts	0.00%	2 Missing ⚠️
apps/web/src/app/core/web-file-download.service.ts	0.00%	1 Missing ⚠️
libs/common/src/services/api.service.ts	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #14708      +/-   ##
==========================================
+ Coverage   36.34%   36.50%   +0.16%     
==========================================
  Files        3190     3200      +10     
  Lines       92150    92680     +530     
  Branches    16524    16691     +167     
==========================================
+ Hits        33491    33833     +342     
- Misses      56268    56392     +124     
- Partials     2391     2455      +64     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Checkmarx One – Scan Summary & Details – ee118d8a-4f75-421b-b11b-1b01e9eaaf4d

New Issues (7)

Checkmarx found the following issues in this Pull Request

Severity	Issue	Source File / Package	Checkmarx Insight
	CVE-2025-24010	Npm-vite-5.4.6	details Recommended version: 5.4.19 Description: Vite is a frontend tooling framework for JavaScript. Vite allowed any websites to send any requests to the development server and read the response... Attack Vector: NETWORK Attack Complexity: LOW ID: 0c9yiTEaVSqMl0%2Fu%2Bo0yEN0eB8lNlI7O%2B0GVB2IbbtI%3D Vulnerable Package
	CVE-2025-27789	Npm-@babel/helpers-7.26.9	details Recommended version: 7.26.10 Description: Babel is a compiler for writing next-generation JavaScript. In affected versions of Babel, to compile regular expressions named capturing groups, B... Attack Vector: LOCAL Attack Complexity: LOW ID: 1nYMDeMPO2xg0145rMQGJWLbztOejr9xOeHYErTItbs%3D Vulnerable Package
	CVE-2025-30208	Npm-vite-5.4.6	details Recommended version: 5.4.19 Description: Vite, a provider of frontend development tooling, has a vulnerability in versions through 4.5.9, 5.0.0 through 5.4.14, 6.0.0 through 6.0.11, 6.1.0 ... Attack Vector: NETWORK Attack Complexity: HIGH ID: QIr1nsxatSU2MLnlS%2BQs9L1VjU0hrGz5%2FPQ7Owocsjk%3D Vulnerable Package
	CVE-2025-31125	Npm-vite-5.4.6	details Recommended version: 5.4.19 Description: Vite is a frontend tooling framework for javascript. Vite exposes the content of non-allowed files using `?inline&import` or `?raw?import`. Only ap... Attack Vector: NETWORK Attack Complexity: HIGH ID: VIgwYCIBxS3XYRO4P2%2Ft37vHFBUDQQHEnaN%2Fi4eEEhU%3D Vulnerable Package
	CVE-2025-31486	Npm-vite-5.4.6	details Recommended version: 5.4.19 Description: A vulnerability in Vite allows the contents of arbitrary files to be returned to the browser. By appending "?.svg" along with "?.wasm?init" or sett... Attack Vector: NETWORK Attack Complexity: HIGH ID: 4V5NkWdOotjoBYkaz%2FZWEeoPNQu9wSJ8OMB%2BmYZyVdI%3D Vulnerable Package
	CVE-2025-32395	Npm-vite-5.4.6	details Recommended version: 5.4.19 Description: Vite is a frontend tooling framework for JavaScript. The contents of arbitrary files can be returned to the browser if the dev server is running on... Attack Vector: NETWORK Attack Complexity: LOW ID: RP5D1HvzjvTD8FBxffEa9NV4ROpdGZ27jVfdODihrLM%3D Vulnerable Package
	CVE-2025-46565	Npm-vite-5.4.6	details Recommended version: 5.4.19 Description: Vite is a frontend tooling framework for javascript. In vite package versions through 4.5.13, 5.0.0-beta.0 through 5.4.18, 6.0.0-alpha.0 through 6.... Attack Vector: NETWORK Attack Complexity: LOW ID: v8kl8oA0JulDUWCCrFTy%2FQIEUU%2F%2FcDPV2d8mTvySNoU%3D Vulnerable Package

Fixed Issues (1)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2024-40643	Npm-htmlparser2-3.10.1

[justindbaur]

I think a better name for this is supportsAutofill my dream would be that this would live on something autofill owned as well but this needs to be used pretty low level and I don't know of a great place it right now so we can leave it.

[justindbaur]

I don't think we should add these anymore. The ideal is that no team needs to do specific client checks and even if they do the getDevice() check already exists.

[justindbaur]

I think a generalization of this test would be useful so we can define a lot of inputs and the expected browser a little easier.

const testData: { userAgent: string, expectedDevice: DeviceType }[] = [
  {
    userAgent: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.3.1 Safari/605.1.15 Ddg/18.3.1",
    expectedDevice: DeviceType.DuckDuckGoBrowser,
  }
];

Also some comments about what the user agent was taken from version, OS, browser type for example. One of the test cases could be Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36 Edg/135.0.0.0 which I just grabbed from Duck Duck Go's windows browser v0.109.7 which I'm pretty sure will report Edge. I'd have it include a comment saying that it is expected to be Edge right now but if something changes we'd be happy to have the expected device type become more accurate later on.

[trmartin4]

Added additional tests for all the different browsers, based on current user-agent strings.

[justindbaur]

If we ever accurately identified DuckDuckGo on windows this logic might break down. I think a lot of our isSafari checks should actually be isWebkit checks and I think this one is too. Since DDG on windows is Edge based this logic would become wrong. It should be fine for now but I think we should get a ticket on the backlog for transitioning isSafari checks to capability based checks.

[trmartin4]

I've created a backlog ticket for converting isSafari() to capability-based checks. For this particular check, I converted this to supportsFileDownload(), as that is what we're trying to do here, I believe; my research tells me that Safari's respect of the download property for file downloads is flaky, and so we have to have the backup of opening in a new tab. That's what I tried to express here.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud