Security Issue with Autofill?

Former Member

3 years ago

Hi @hayduk! We do fill iframes, but we check the URLs of the individual frames every step of the way to make sure that the item in question can actually fill. If the login form is in an iframe that has a URL that doesn't match the one in an item, we'll fill nothing at all.

In regards to filling on subdomains, I want the clarify that we consider that working as intended, unless the base domain is on the PSL (public suffix list).

If a hosting provider does this:

Some content hosting providers allow hosting arbitrary content under a subdomain of their official domain, which also serves their login page

They would need to do their due diligence and submit their root domain to the PSL so that we (and also browsers) know to treat subdomains as distinct security contexts. Almost all of the web operates under the assumption that subdomains of a website are "trusted" in some way, unless the domain they're a sub domain of is on the PSL.

Forum Discussion

Featured discussions

November at 1Password: the Access-Trust gap, planning your estate, and an updated unlock experience

Recent discussions

Feature Request: Show Original Contributor of Items in Shared Family Vaults

Has something changed: http:// not filling in any more?

Emergency access - people I trust that may ask to access my account in case of an emergency

Cancelled Account, But Got Billed for 0.95 Cents

1Password error message on Start up