Configuring KeePassRPC permitted websocket origins

We now check that the origin of the websocket request is a Mozilla or other modern web browser extension. Since KeePassRPC can be used with other clients, we have a hidden configuration option to allow for this requirement to be relaxed.

Find your KeePass configuration file and set a comma-delimited list of origin prefixes that you wish to allow to connect to KeePass - (while KeePass is closed) insert the following to the element:


The following values are permitted by default if no value is set for this configuration key (or if all values in the list are empty): "resource://gre-resources,ms-browser-extension://,safari-web-extension://,moz-extension://,chrome-extension://". In most cases you’ll want to include all of those with any additional origins you wish to permit.

PS: It may be tempting to use this setting to further limit KeePassRPC access to only a whitelist of known browser extensions such as Kee. Unfortunately, even if this works at the moment for some browsers, you should expect it to break soon. The use of a permanent unique identifier in the origins sent by your browser poses a privacy (fingerprinting) risk and thus all browser developers are likely to adopt randomly changing identifiers in the near future (some such as Mozilla Firefox have already done so).