Open
Bug 1501401
Opened 6 years ago
Updated 10 months ago
1Password Firefox AddOn does not work with auto-fill on Firefox Accounts
Categories
(WebExtensions :: General, enhancement, P3)
WebExtensions
General
Tracking
(Not tracked)
NEW
People
(Reporter: claudijd, Unassigned)
Details
Attachments
(1 file)
|
91.92 KB,
image/png
|
Details |
Example screenshot
One of the big things we're trying to push this year is to help users increase their password manager adoption and one of the aspects of getting better adoption is seamless auto-fill working with various password managers.
I attempted to use 1Password Browser Addon, using Firefox Nightly, on Mac OSX to FxA and it simply does not auto-fill on login. I checked the browser console to see what if any errors it was throwing and couldn't find any indicators as to why, so I'm filing this for help tracking this down.
I can confirm that my auto-fill works on other sites such as auth0.
|
||
Comment 1•6 years ago
|
||
An example screenshot of the behavior of 1Password 7.2.1 on macOS 10.14 on Firefox 63.0 (release)
|
|
||
Comment 2•6 years ago
|
||
Confirmed on release, autofill does not trigger with hotkey, and manually clicking the 1Password add-on icon in FF displays the correct result, but the autofill button does nothing. See above screenshot.
|
||
Comment 4•6 years ago
|
||
Logging in to https://accounts.firefox.com/signin with Lastpass 4.18.1 also does not work.
The in page icons normally added to the username and password fields are not added. And when clicking that accounts.firefox.com credential in Lastpass it does not fill in the username and password. Finally, attempting to launch the site from the Lastpass Vault also does not work. It takes you to the FxA sign in page but does not fill anything in nor submit the form.
|
||
Comment 5•6 years ago
|
||
Webextensions are deliberately blocked from interacting with a handful of privileged domains, including accounts.firefox.com: Bug 1415644.
The inability to use third-party password-managers on FxA was explicitly called out as a drawback of this approach (e.g. Bug 1415644 Comment 19) but was deemed acceptable, at least initially. Perhaps it's time to revisit that discussion and see if we can come up with something better.
Component: Firefox Accounts → General
Flags: needinfo?(rfkelly)
Product: Firefox → WebExtensions
|
Reporter | |
Comment 6•6 years ago
|
||
:rfkelly - I wonder if there could be less of a binary control here for all addons, but one where you could say "1Password (or equivalent password manager is legit enough to run on say FxA, because it's an IDP and we've given it X-level of sec review".
|
|
||
Comment 7•6 years ago
|
||
I'd personally be happy with a default block policy and extra manual review step to allowlist addons that actually need to integrate with those pages, but it might be a bit weird philosophically to create these different tiers of addon. Its more of an addons security-policy question; David could you please help us ensure that the right folks are looped into this discussion?
Flags: needinfo?(ddurst)
|
|
Reporter | |
Comment 8•6 years ago
|
||
One more nit here (and this could be me not knowing where to look), could be some sort of feedback in the console or somewhere to indicate why an addon isn't working or loading. I think it could be as light-weight as "AddOns are disabled on this web property for security purposes", but I'm sure those closer ties to this have better (or more refined) ideas on how to make this better.
|
|
Reporter | |
Comment 10•6 years ago
|
||
FxA has come up again in discussions at AllHands as an IDP/RP, which does not support password managers and as an org we're really trying to push users to make use of a password manager and follow strong patterns for protecting their credentials from password-based phishing attacks.
No real action here, but wanted to share that added context if perhaps it's helpful to this group. The specific context was sites that present more phishing risk in Red Team Debrief discussion, and FxA happened to be one of the more likely ones because modern password manager expectations cannot be followed for this site for the technical reasons noted above regarding what sites AddOns can run on.
|
||
Updated•5 years ago
|
Priority: P2 → P3
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•