[wp-trac] [WordPress Trac] #27086: Make auth-check logins work with 1Password

WordPress Trac noreply at wordpress.org
Mon Feb 10 15:51:23 UTC 2014


#27086: Make auth-check logins work with 1Password
------------------------------------+-----------------------------
 Reporter:  nacin                   |      Owner:
     Type:  defect (bug)            |     Status:  new
 Priority:  normal                  |  Milestone:  Awaiting Review
Component:  Login and Registration  |    Version:
 Severity:  normal                  |   Keywords:
  Focuses:                          |
------------------------------------+-----------------------------
 After some conversation on Twitter, I've been testing 1Password's browser
 extensions against WordPress. It works fine when logging in normally, but
 when you get logged out and need to log in from an iframe, it fails pretty
 hard.

 Specifically, 1Password decides to fill *every* text input — even those
 that are hidden, that have content, or that aren't in the same form — with
 the login name. This is despite the web form fields being configured,
 present, and matching up perfectly.

 (By hidden I'm referring to type="text" that is visually hidden, not
 type="hidden".)

 Basic steps to trigger the issue:
  * Have a login saved from wp-login.php (making sure that your web form
 details are for "log", "pwd" and optionally "rememberme").
  * Edit a post.
  * Hit the 1Password global shortcut, ⌘\. It will fill in every text
 input, including the title, the tags meta box input, the slug meta box
 input, etc. It's a mess.

 Steps to reproduce with a real login form:
  * Have a login saved from wp-login.php, etc.
  * Edit a post.
  * Delete your login cookies. Wait three minutes, or speed things up by
 calling `wp.heartbeat.connectNow()` in your console.
  * An iframe should pop up (assuming you're not cross-domain, at least).
 Log in using ⌘\.
  * It'll log into the iframe and submit it, which closes it.
  * Note that the title field and all other text fields.

 Steps to reproduce to comedic results:
  * Have a login saved from wp-login.php, etc.
  * Visit Settings > General.
  * Delete your login cookies. Wait three minutes, or speed things up by
 calling `wp.heartbeat.connectNow()` in your console.
  * An iframe should pop up (assuming you're not cross-domain, at least).
 Log in using ⌘\.
  * It'll log into the iframe and submit it, which closes it.
  * Note that every single settings field is filled with your login.

 Here's a dead-simple HTML page to try that involves two different forms.
 Doesn't matter where the focus is when ⌘\ is invoked. Doesn't matter if
 it's one form, multiple forms, an iframe, whether the other inputs are
 even wrapped by form.

 {{{

 <!DOCTYPE html>
 <head>
 <meta charset="utf-8" />
 </head>
 <body>

 <form>
 <input type="text" name="log" />
 <input type="password" name="pwd" />
 <input type="submit" />
 </form>

 <form>
 <input type="text" name="title" />
 <input type="text" name="foo" />
 <input type="text" name="bar" />
 <input type="text" name="baz" />
 </form>

 </body>
 </html>
 }}}

 It seems that "If the fields saved in a Login item don’t match the ones on
 the page I try to fill what I can"
 ([https://twitter.com/1Password/status/432687921154371584 source]) is
 inaccurate. It doesn't matter whether the fields match; and "fill what I
 can" actually means "randomly stomp on all fields". This reminds me of
 #24364.

 Possible solutions:
  * Disable all other inputs when the iframe is open, and re-enable them
 when closed. (Need to be careful to not re-enable previously enabled
 fields.)
  * Convince 1Password to release a fix for this. They happen to be
 WordPress users themselves, so it's not out of the question. There are
 numerous options here, as well — not filling in outside of an iframe is
 probably pretty safe, especially when fields also match 1:1. But one
 question would be how quickly they'd make a fix. I'd tend to think we'd be
 able to release 3.9 first. I filed an unrelated report of a simple,
 annoying, and straightforward bug about two months ago; their last bug fix
 release was about a month ago.

--
Ticket URL: <https://core.trac.wordpress.org/ticket/27086>
WordPress Trac <https://core.trac.wordpress.org/>
WordPress publishing platform


More information about the wp-trac mailing list