fix: enable dynamic URLs for Chrome web accessible resources

[addisonbeck]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-28344
sibling change from the same Jira ticket: #17466

📔 Objective

This commit adds use_dynamic_url: true to the mv3 extension's web_accessible_resources configuration. When enabled, Chrome generates random session-based GUIDs for extension resource URLs instead of using the predictable static extension ID. This enhances privacy by making extension resource URLs unpredictable and prevents third-party enumeration of installed extensions.

The feature is supported in Chrome 102+ and changes resource URLs from chrome-extension://[static-id]/resource to chrome-extension://[random-guid]/resource, with GUIDs regenerating each browser session while maintaining all existing extension functionality.

It might be wise to also review the HTML I used for testing. It is shared in the Recreation Steps in Jira.

📸 Screenshots

A before and after using the test HTML shared in Jira

⏰ Reminders before review

• Contributor guidelines followed
• All formatters and local linters executed and passed
• Written new unit and / or integration tests where applicable
• Protected functional changes with optionality (feature flags)
• Used internationalization (i18n) for all UI strings
• CI builds passed
• Communicated to DevOps any deployment requirements
• Updated any necessary documentation (Confluence, contributing docs) or informed the documentation team

🦮 Reviewer guidelines

• 👍 (:+1:) or similar for great changes
• 📝 (:memo:) or ℹ️ (:information_source:) for notes or general info
• ❓ (:question:) for questions
• 🤔 (:thinking:) or 💭 (:thought_balloon:) for more open inquiry that's not quite a confirmed issue and could potentially benefit from discussion
• 🎨 (:art:) for suggestions / improvements
• ❌ (:x:) or ⚠️ (:warning:) for more significant problems or concerns needing attention
• 🌱 (:seedling:) or ♻️ (:recycle:) for future improvements or indications of technical debt
• ⛏ (:pick:) for minor or nitpick changes

[github-actions]

Checkmarx One – Scan Summary & Details – 4088b6a7-16be-42d3-8eb3-9e34ade5b3e6

Great job! No new security vulnerabilities introduced in this pull request

[claude]

Claude finished @addisonbeck's task —— View job

---

Code Review Complete

Summary

This is a focused, well-executed privacy enhancement for Chrome MV3. The single-line change adds dynamic URL generation for web-accessible resources, preventing extension fingerprinting. The PR description is comprehensive with clear objectives and visual verification.

Findings

Finding 1: PR description and implementation are both excellent - clear objective, proper tracking reference, verification screenshots, and technically sound change (apps/browser/src/manifest.v3.json:168)

Finding 2: 💭 Manifest v2 (manifest.json) doesn't support use_dynamic_url - this Chrome-specific feature only applies to MV3, so the current approach of only modifying manifest.v3.json is correct

Finding 3: 💭 Consider documenting browser version requirements - while the PR description mentions Chrome 102+, this information isn't captured in code comments or documentation

Optional: Browser compatibility note

If you want to add clarity for future maintainers, you could add a comment above the use_dynamic_url field:

// Chrome 102+ feature: Generates random session-based GUIDs instead of static extension ID
// Enhances privacy by preventing extension fingerprinting via resource URLs
"use_dynamic_url": true

However, JSON doesn't support comments, so this would need to be documented elsewhere (README, architecture docs, or inline code comments where the manifest is referenced).

Technical Review

• ✅ Correct Chrome MV3 API usage
• ✅ Appropriate for privacy enhancement goals
• ✅ No breaking changes to extension functionality
• ✅ Security scan passed (Checkmarx)
• ✅ Proper JSON syntax with correct placement

The change is minimal, targeted, and well-reasoned. The screenshot effectively demonstrates the before/after behavior showing static extension ID URLs becoming randomized.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 41.11%. Comparing base (6305a33) to head (b9ba4c9).
⚠️ Report is 69 commits behind head on main.
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #17429      +/-   ##
==========================================
+ Coverage   40.78%   41.11%   +0.33%     
==========================================
  Files        3542     3544       +2     
  Lines      101467   101753     +286     
  Branches    15216    15241      +25     
==========================================
+ Hits        41380    41840     +460     
+ Misses      58337    58153     -184     
- Partials     1750     1760      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.