Skip to content

Add native‑messaging allow‑list entry so the iCloud Passwords Firefox extension works in Tor/Mullvald Browsers

Summary

Apple’s iCloud Passwords add‑on communicates with a native helper called PasswordManagerBrowserExtensionHelper (com.apple.passwordmanager). Since macOS 15.4 (and current Windows builds) the helper checks the bundle‑ID / code‑signature of the calling browser against an internal allow‑list generated from Apple’s public file web-browser-extension-distribution-information.json (https://github.com/apple/password-manager-resources/blob/main/quirks/web-browser-extension-distribution-information.json).

At the moment the list contains only stock Firefox. Because Tor and Mullvad browsers has a different bundle‑ID, the helper terminates immediately, so the extension shows "This extension requires macOS Sonoma or later to be installed", even though I'm running macOS Sequoia.

Adding Tor and Mullvad to Apple’s allow‑list will restore full functionality.

Older macOS ≤ 15.3 / Windows 14.1 still work if a custom native‑messaging manifest is copied, because the additional signature check was introduced later.

Proposed fix

  1. Add Tor and Mullvad browsers to the allow‑list Apple uses: Forks are expected to submit a PR or open an issue in Apple’s repo. Repository: https://github.com/apple/password-manager-resources File: quirks/web-browser-extension-distribution-information.json
{
  "bundle_id": "io.github.browser",       // replace with our Bundle ID
  "team_id":   "ABCDE12345",              // Apple developer team ID
  "platform":  "macos",                   // and/or "windows"
  "browser_name": "<Browser‑Name>"
}
  1. Until Apple merges the change and ships a new helper, document the limitation in the release notes so users know why the add‑on fails.

References / background Apple’s explanation for third‑party browsers: https://github.com/apple/password-manager-resources#web-browser-extension-distribution-information

Impact

Many users rely on iCloud Keychain for cross‑device password management. Without this fix they must switch to stock Firefox or Chrome just for password filling, which defeats the purpose of using Tor/Mullvad browser.

Please consider filing the upstream request so the helper will recognise our browser.

Thank you!

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information