Forum Discussion

joeRinehart's avatar
joeRinehart
New Contributor
1 month ago
Solved

1Password Chrome extension is incorrectly manipulating <code> blocks

The latest 1Password Chrome extension is incorrectly manipulating the DOM within <code> blocks on static pages. It looks it's using prism.js to try to add syntax highlighting to <code> blocks on the ...
browser extension
  • 1P_Blake's avatar
    1P_Blake
    1 month ago

    Hey everyone! I want to thank everyone who called our attention to this and explain what happened and what we’re doing about it.

    What happened: Prism.js is a syntax-highlighting library we use for our Labs Snippets feature. While optimizing our build to reduce bundle size, we unintentionally bundled Prism.js into the extension in a way that caused it to run on pages where it shouldn’t, which interfered with code formatting on certain sites. We apologize for the inconvenience this caused.

    What we’re doing about it:  We’ve completed the fix and submitted it to the Chrome Web Store, along with Firefox, Edge, and our other supported extension storefronts. Rollout timing depends on each store’s review process, but we expect it to land over the next few days.

    We want to emphasize that vault security was not impacted. At 1Password, protecting our customers’ privacy, passwords, and credentials is our highest priority.

    We’ll be publishing a postmortem covering what went wrong, the timeline, and the concrete changes we’re making to how we build and release future browser extension updates.

imgggg's avatar
imgggg
New Contributor
1 month ago

Been using 1Password for at least 6yrs. I'm absolutely pissed off after hours of debugging on why code highlighting does not work anymore. Been trusting the extension despite there was some hiccups before so ironically a browser extension of a password manager is the LAST thing came to my mind to check.

How many people would this update break?

This is one of the changes that should guard against a feature flag with gradual rollout. Why it is not is beyond me.

HOW DOES THIS EVEN GET TO PRODUCTION IN THE FIRST PLACE?

---

Edit: Can confirm that iOS 1Password Safari Extension also breaks. I bet they're using the same codebase.

This is severe to the point where this is not a regular hiccup anymore. This breaks OTHER'S site without any clue on how they're suppose to fix YOUR issue. If this does not get fixed people's codebase would literally starting to have "# Dirty fix for a nasty 1Password bug".

Please take more attention to this and fix it ASAP. This is the most severe incident I can consider that a browser extension could cause.