Getting started with 1Password for your growing team, or refining your setup? Our Secured Success quickstart guide is for you.
Forum Discussion
Confusing autofill UX with iframes
According to https://support.1password.com/browser-autofill-security/, the extension will not autofill credentials into forms hosted in cross-origin iframes (except for credit card fields). That’s expected and desirable from a security perspective.
However, I ran into a situation where this leads to very confusing UX.
Here’s the setup:
- A page on sitea.com embeds a login form from siteb.com using a cross-origin <iframe>.
- 1P has a credential saved for sitea.com, but not for siteb.com.
When visiting the sitea.com page, the 1Password browser extension does show the inline menu for the saved credential, despite the form being pulled from siteb.com. But, the menu does not work: selecting the credential causes the menu to briefly disappear and then reappear, but nothing is filled. Presumably this is because of the cross-origin restriction. I noted that it's also in a closed shadow DOM, so at least siteb.com can't see the credential (though it can infer some things about it).
Quick Access also shows the credential, but nothing happens when you select it.
So autofill is correctly blocked, but the inline menu appearing inside a non-matching iframe creates confusion for the user. Same for Quick Access offering the cred but not filling it. Basically, it looks like 1Password's autofill is broken. When I ran into this issue this morning, I didn't catch what was happening right away and ended up emailing support about it, wasting their time and mine.
Suggestion:
It would be helpful if 1Password showed an explanatory message in this case. It could be in the inline menu in the case of the extension, or somewhere in the window in the case of Quick Access. Or it could be a message popped up when either autofill mechanism is triggered and fails. It doesn't have to be super-technical, but something to let the user know that autofill won't work with the site because of security limitations with the way the site is set up. The user might groan a little, but at least they won't try to plow ahead, get confused, contact support about it, and end up groaning anyway.
1 Reply
- 1P_Dave
Moderator
Hello BobW! 👋
I'm sorry for missing this post. Are you able to provide a link to the webpage that you're referring to so that I can take a look? I'd be happy to pass along your feedback to our product and development teams. If you don't want to post a link in the public community then you can sent it to support@1Password.com along with a link to this thread.
I look forward to hearing from you.
-Dave
