Forum Discussion

thecatfix's avatar
thecatfix
Dedicated Contributor
14 hours ago

Using Violentmonkey to Control 1Password Autofill on Specific Sites

As an answer to this issue. 

I asked claude code to summarize the problem and generate a potential solution.

Problem: 1Password has no way to permanently disable autofill on specific websites. The only built-in option ("Hide on this page") is session-only and resets on browser restart. Users working with CRMs, dashboards, and web apps with many form fields have 1Password icons blocking dropdowns, suggesting irrelevant credentials, and firing "save this password?" prompts constantly. This has been requested for 3+ years with 46 replies and no native solution from 1Password.

Solution that gives you **permanent, granular control** over where 1Password appears using **Violentmonkey**, a free and open-source browser extension.

---

## What is Violentmonkey?

[Violentmonkey](https://violentmonkey.github.io/) is an open-source (MIT license) **userscript manager** for Firefox, Chrome, and Edge. It lets you write small JavaScript snippets that run automatically on specific websites, modifying how those pages behave in your browser.

Think of it as a personal customization layer for the web. You define *which sites* a script runs on, and *what it does* when it runs. Scripts persist across sessions, restarts, and updates.

**Key facts:**

- Free, open-source, no telemetry
- Available on [Firefox Add-ons](https://addons.mozilla.org/en-US/firefox/addon/violentmonkey/) and [Chrome Web Store](https://chrome.google.com/webstore/detail/violentmonkey/jinjaccalgkegednnccohejagnlnfdag)
- Active development and community
- Lightweight -- only runs scripts on pages you specify

---

## How Userscripts Work

A userscript is just JavaScript with a metadata header that tells Violentmonkey *when* and *where* to run it. Here's the anatomy:

```javascript
// ==UserScript==
// @name         My Script Name
// @namespace    my-scripts
// @version      1.0
// @description  What this script does
// Match        https://example.com/*
// @grant        none
// @run-at       document-start
// ==/UserScript==

(function () {
  "use strict";
  // Your code here
})();
```

**Important fields:**

- `@match` -- URL pattern where the script runs. Supports wildcards (`*`). You can have multiple `@match` lines.
- `@run-at` -- When the script executes: `document-start` (before the page loads), `document-end` (after DOM is ready), or `document-idle` (after page is fully loaded).
- `@grant` -- Permissions the script needs. `none` means it runs in the page's own context.

---

## The Core Solution: Blocking 1Password on Specific Sites

This script uses **two mechanisms** to completely suppress 1Password on any site you list:

1. **`data-1p-ignore` attribute** -- This is 1Password's own official HTML attribute. When present on an `<input>`, 1Password skips that field entirely. We add it to every form element on the page.
2. **MutationObserver** -- Watches the DOM for 1Password's custom elements (`com-1password-menu`, `com-1password-button`, `com-1password-notification`) and removes them the instant they appear.

### Full Site Blocker Script

```javascript
// ==UserScript==
// @name         1Password Blocker
// @namespace    1password-control
// @version      1.0
// @description  Permanently block 1Password autofill on specific sites
// Match        https://crm.example.com/*
// Match        https://admin.example.com/*
// @grant        none
// @run-at       document-start
// ==/UserScript==

(function () {
  "use strict";

  const SELECTORS = "com-1password-menu, com-1password-button, com-1password-notification";

  // Remove 1Password custom elements as they appear
  new MutationObserver(() => {
    document.querySelectorAll(SELECTORS).forEach((el) => el.remove());
  }).observe(document.documentElement, { childList: true, subtree: true });

  // Mark all form fields so 1Password ignores them
  document.addEventListener("DOMContentLoaded", () => {
    const mark = (el) => el.setAttribute("data-1p-ignore", "");
    document.querySelectorAll("input, select, textarea").forEach(mark);

    // Catch dynamically added fields (SPAs, AJAX-loaded content)
    new MutationObserver((mutations) => {
      for (const m of mutations) {
        for (const node of m.addedNodes) {
          if (node.nodeType !== 1) continue;
          if (node.matches?.("input, select, textarea")) mark(node);
          node.querySelectorAll?.("input, select, textarea").forEach(mark);
        }
      }
    }).observe(document.body, { childList: true, subtree: true });
  });
})();
```

### How to Install

1. Install Violentmonkey from your browser's extension store
2. Click the Violentmonkey icon in your toolbar
3. Click the `+` button to create a new script
4. Delete the template and paste the script above
5. **Edit the `@match` lines** to list your target sites
6. Press `Ctrl+S` to save

That's it. The block is permanent and survives browser restarts.

---

## URL Pattern Examples

The `@match` pattern follows the format `scheme://host/path`:

```javascript
// Block on an entire domain
// Match        https://app.hubspot.com/*

// Block on a specific section only
// Match        https://app.hubspot.com/contacts/*

// Block on all subdomains of a domain
// Match        https://*.salesforce.com/*

// Block on 1Password's own login page
// Match        https://my.1password.com/*

// Block on an internal/corporate tool
// Match        https://internal.yourcompany.com/*

// Block on multiple specific paths
// Match        https://site.com/contacts/*
// Match        https://site.com/accounts/*
// Match        https://site.com/deals/*
```

---

## Beyond Full Blocking: Other Possibilities

The beauty of userscripts is flexibility. Here are variations that solve specific pain points raised in this thread:

### 1. Block on Specific Fields Only (Not the Whole Page)

For CRM users who still want 1Password on the login page but not on "Name", "Address", and "Phone" fields inside the app:

```javascript
// ==UserScript==
// @name         1Password Field Filter
// @namespace    1password-control
// @version      1.0
// @description  Block 1Password on non-login fields only
// Match        https://crm.example.com/*
// @grant        none
// @run-at       document-end
// ==/UserScript==

(function () {
  "use strict";

  const IGNORE_PATTERN = /name|address|phone|city|zip|state|company|title|email|fax/i;

  const maybeIgnore = (el) => {
    const hint = (el.name || "") + (el.placeholder || "") + (el.id || "");
    if (IGNORE_PATTERN.test(hint)) {
      el.setAttribute("data-1p-ignore", "");
    }
  };

  document.querySelectorAll("input, select, textarea").forEach(maybeIgnore);

  new MutationObserver((mutations) => {
    for (const m of mutations) {
      for (const node of m.addedNodes) {
        if (node.nodeType !== 1) continue;
        if (node.matches?.("input, select, textarea")) maybeIgnore(node);
        node.querySelectorAll?.("input, select, textarea").forEach(maybeIgnore);
      }
    }
  }).observe(document.body, { childList: true, subtree: true });
})();
```

### 2. Suppress "Save This Password?" Prompts Only

For YubiKey or OTP users where the password changes every time and 1Password's save prompt is the annoyance -- not the autofill itself:

```javascript
// ==UserScript==
// @name         1Password Save Prompt Suppressor
// @namespace    1password-control
// @version      1.0
// @description  Block only the save/update password notification
// Match        https://vpn.example.com/*
// @grant        none
// @run-at       document-start
// ==/UserScript==

(function () {
  "use strict";

  new MutationObserver(() => {
    document.querySelectorAll("com-1password-notification").forEach((el) => el.remove());
  }).observe(document.documentElement, { childList: true, subtree: true });
})();
```

### 3. Auto-Submit After 1Password Fills Credentials

For login pages where you always click "Sign In" after 1Password fills the form -- skip the extra click:

```javascript
// ==UserScript==
// @name         Auto-Submit After 1Password Fill
// @namespace    1password-control
// @version      1.0
// @description  Automatically submit login form after 1Password fills it
// Match        https://slowapp.example.com/login*
// @grant        none
// @run-at       document-end
// ==/UserScript==

(function () {
  "use strict";

  const observer = new MutationObserver(() => {
    const user = document.querySelector('input[name="username"]');
    const pass = document.querySelector('input[name="password"]');
    if (user?.value && pass?.value) {
      observer.disconnect();
      setTimeout(() => {
        document.querySelector('button[type="submit"]').click();
      }, 300);
    }
  });
  observer.observe(document.body, { subtree: true, attributes: true, childList: true });
})();
```

### 4. Help 1Password Recognize Non-Standard Login Forms

Some legacy apps use weird field names (`usr_id`, `usr_pwd`) that 1Password can't detect. Fix them:

```javascript
// ==UserScript==
// @name         Fix Login Fields for 1Password
// @namespace    1password-control
// @version      1.0
// @description  Add autocomplete hints so 1Password detects login fields
// Match        https://legacy-app.example.com/*
// @grant        none
// @run-at       document-end
// ==/UserScript==

(function () {
  "use strict";

  const userField = document.querySelector('input[name="usr_id"]');
  const passField = document.querySelector('input[name="usr_pwd"]');
  if (userField) userField.setAttribute("autocomplete", "username");
  if (passField) passField.setAttribute("autocomplete", "current-password");
})();
```

### 5. Visual Indicator for Blocked Sites

Add a small unobtrusive badge so you remember 1Password is suppressed on the current site:

```javascript
// ==UserScript==
// @name         1Password Block Indicator
// @namespace    1password-control
// @version      1.0
// @description  Show a small badge when 1Password is blocked
// Match        https://crm.example.com/*
// @grant        none
// @run-at       document-end
// ==/UserScript==

(function () {
  "use strict";

  const badge = document.createElement("div");
  badge.textContent = "1P blocked";
  badge.style.cssText =
    "position:fixed;bottom:8px;right:8px;background:#1a1a2e;color:#8b8ba7;" +
    "padding:4px 10px;border-radius:4px;font:11px/1.4 system-ui;z-index:99999;opacity:0.5;" +
    "pointer-events:none;transition:opacity 0.2s";
  document.body.appendChild(badge);
  setTimeout(() => { badge.style.opacity = "0.2"; }, 3000);
})();
```

---

## Summary Table

| Script                 | What It Solves                                             | Who Needs It                                         |
| ---------------------- | ---------------------------------------------------------- | ---------------------------------------------------- |
| Full site blocker      | 1Password appears everywhere on a site                     | CRM users, dashboard users, web app power users      |
| Field-level filter     | 1Password icons on non-login fields (Name, Address, Phone) | CRM users who still need 1Password on the login page |
| Save prompt suppressor | "Do you want to save?" on every OTP/YubiKey login          | Security key users                                   |
| Auto-submit            | Extra click after 1Password fills credentials              | Anyone tired of clicking "Sign In"                   |
| Field fixer            | 1Password doesn't detect login fields on legacy apps       | Users of older internal tools                        |
| Visual indicator       | Forgetting which sites have 1Password blocked              | Anyone using the blocker scripts                     |

---

## Why This Works Better Than 1Password's Built-In Options

| 1Password's Options                    | Limitation                                     |
| -------------------------------------- | ---------------------------------------------- |
| "Hide on this page"                    | Session-only, resets on restart                |
| Disable "Show autofill on field focus" | Disables autofill on ALL sites globally        |
| Remove website URL from login item     | Loses autofill on the login page too           |
| "Never save on this website"           | Only affects save prompts, not the inline menu |

**Violentmonkey scripts are:**

- Permanent across sessions and restarts
- Per-site with wildcard URL matching
- Granular down to individual fields
- Shareable with team members (just send the script)
- Free and open source

---

## For Enterprise / Team Admins

If you manage a team, you can:

1. Write the scripts for your organization's problem sites
2. Host them on an internal URL or GitHub gist
3. Share the install URL with team members -- Violentmonkey can install scripts directly from a URL
4. Scripts auto-update if you set `@updateURL` and `@downloadURL` in the metadata

This is the closest thing to a centralized blocklist that's available today without waiting for 1Password to implement the feature natively.

---

**TL;DR:** Install Violentmonkey, paste a script, edit the `@match` lines to your sites, save. 1Password is permanently blocked on those sites. No more session-only "Hide on this page" that resets every time you restart your browser.

 

1password.com
browser extension
discussion

1 Reply

  • 1P_Dave's avatar
    1P_Dave
    Icon for Moderator rankModerator
    2 hours ago

    Hello thecatfix​! 👋

    Thank you for the post! You wrote: 

    The only built-in option ("Hide on this page") is session-only and resets on browser restart.

    This was true in the past but hasn't been the case for some time, when you right-click on a page and choose 1Password - Password Manager > Hide on this page, that preference will be remembered even if you restart your browser. It will only reset if you click the "Reset hidden pages" option in the browser extension's Autofill & save setting page or clear the browser extension's data in some other way. The setting is per-page only and doesn't currently apply to the entire website. 

    ⚠️ Just a quick note for everyone: scripts shared in the 1Password Community aren’t reviewed or vetted by the 1Password team, so please be sure to review them carefully before running anything.

    -Dave