WordPress.org

Make WordPress Core

Opened 4 years ago

Last modified 3 years ago

#27086 new defect (bug)

Make auth-check logins work with 1Password

Reported by: nacin Owned by:
Milestone: Awaiting Review Priority: normal
Severity: normal Version:
Component: Login and Registration Keywords:
Focuses: Cc:

Description (last modified by nacin)

After some conversation on Twitter, I've been testing 1Password's browser extensions against WordPress. It works fine when logging in normally, but when you get logged out and need to log in from an iframe, it fails pretty hard.

Specifically, 1Password decides to fill *every* text input — even those that are hidden, that have content, or that aren't in the same form — with the login name. This is despite the web form fields being configured, present, and matching up perfectly.

(By hidden I'm referring to type="text" that is visually hidden, not type="hidden".)

Basic steps to trigger the issue:

  • Have a login saved from wp-login.php (making sure that your web form details are for "log", "pwd" and optionally "rememberme").
  • Edit a post.
  • Hit the 1Password global shortcut, ⌘\. It will fill in every text input, including the title, the tags meta box input, the slug meta box input, etc. It's a mess.

Steps to reproduce with a real login form:

  • Have a login saved from wp-login.php, etc.
  • Edit a post.
  • Delete your login cookies. Wait three minutes, or speed things up by calling wp.heartbeat.connectNow() in your console.
  • An iframe should pop up (assuming you're not cross-domain, at least). Log in using ⌘\.
  • It'll log into the iframe and submit it, which closes it.
  • Note that the title field and all other text fields.

Steps to reproduce to comedic results:

  • Have a login saved from wp-login.php, etc.
  • Visit Settings > General.
  • Delete your login cookies. Wait three minutes, or speed things up by calling wp.heartbeat.connectNow() in your console.
  • An iframe should pop up (assuming you're not cross-domain, at least). Log in using ⌘\.
  • It'll log into the iframe and submit it, which closes it.
  • Note that every single settings field is filled with your login.

Here's a dead-simple HTML page to try that involves two different forms. Doesn't matter where the focus is when ⌘\ is invoked. Doesn't matter if it's one form, multiple forms, an iframe, whether the other inputs are even wrapped by form.

<!DOCTYPE html>
<head>
<meta charset="utf-8" />
</head>
<body>

<form>
<input type="text" name="log" />
<input type="password" name="pwd" />
<input type="submit" />
</form>

<form>
<input type="text" name="title" />
<input type="text" name="foo" />
<input type="text" name="bar" />
<input type="text" name="baz" />
</form>

</body>
</html>

It seems that "If the fields saved in a Login item don’t match the ones on the page I try to fill what I can" (source) is inaccurate. It doesn't matter whether the fields match; and "fill what I can" actually means "randomly stomp on all fields". This reminds me of #24364.

Possible solutions:

  • Disable all other inputs when the iframe is open, and re-enable them when closed. (Need to be careful to not re-enable previously disabled fields.)
  • Convince 1Password to release a fix for this. They happen to be WordPress users themselves, so it's not out of the question. There are numerous options here, as well — not filling in outside of an iframe is probably pretty safe, especially when fields also match 1:1. But one question would be how quickly they'd make a fix. I'd tend to think we'd be able to release 3.9 first. I filed an unrelated report of a simple, annoying, and straightforward bug about two months ago; their last bug fix release was about a month ago.

Change History (7)

#1 @nacin
4 years ago

  • Description modified (diff)

#2 @nacin
4 years ago

Separate report: https://twitter.com/perrodin/status/432908703298121729. When setting up a new WP site, 1Password always grabs the email address as the username.

#4 @nacin
4 years ago

Some news! 1Password extension 4.2 Beta is out, and it appears to fix this. Please test and leave feedback here!

You can get the beta at https://agilebits.com/browsers/index.html, clicking "Enable betas" below the big install button. In Chrome you end up with two extensions installed, so it's easy to switch back to stable.

Note that I can't get the extension to auto-submit logins, but that may be like that for debugging the beta. I've asked that question upstream.

#5 @mannieschumpert
4 years ago

The problem with filling in every text input does seem to have been solved, but yes, auto-submitting seems to be disabled.

Definitely an improvement though!

Last edited 4 years ago by mannieschumpert (previous) (diff)

#6 @chriscct7
3 years ago

  • Keywords needs-testing added

#7 @morganestes
3 years ago

  • Keywords needs-testing removed

On a 4.3.1 install, using 1Password 5.4 Beta and the beta extension in Chrome on OS X, autofill and auto-submit work to fill in the form but it also fills in my username in the post title field. I have 1Password configured to Search All Fields and Submit.

When I turned off Search All Fields and switched to Major Fields, it filled in the same info, but this time it tried to navigate me away from the page (I got a Confirm Navigation prompt, but don't know where it's trying to take me).

Note: See TracTickets for help on using tickets.