Not opening non-http URLs

1P_Ben if it helps the argument for reinstating this feature, FileMaker added some protections for this in v19.5.1, back in May (the current version is 19.5.3).

From the release notes:

Security
FileMaker Pro notifies you when an fmp URL is opening a hosted custom app. Choose to open anyway, add the host to your permitted hosts list, or cancel. See Setting permitted hosts and plug-ins preferences in FileMaker Pro Help.

This notification is disabled by default. To enable it, open the Preferences dialog box and in the Permitted tab, choose Warn me before an fmp URL opens a file. See FileMaker Pro Help.

To enable this notification for assisted installations, set AI_WARN_FMP_URL in the Assisted Install.txt file. See FileMaker Pro Network Install Setup Guide.

So companies that are concerned about this, can turn on that flag in their deployed installations.

I know that only solves fmp protocol handlers, but a list of "Allowed handlers" in 1Password prefs would handle that well, IMO.

cc: Jack_P_1P (since you recently followed up on this issue on a different thread - thanks!)

@bittailor thanks for posting this. My team finally updated to 1P8 today, so I'm finally feeling this pain "for realz" now. Ha!

The ability to launch an fmp:// url from the quick launch is at least something… but I'm not seeing an easy way to navigate if you have multiple fmp URLs in one 1Password entry, so this update is still rather limiting and frustrating.

I spoke too soon. It's only available from quick access:

It's not available from 1Password:

Browsers already handle this by asking the user, so I'm not sure why it's an issue for 1P.

The latest beta does open fmp:// URLs now. :)
Edit: only partially. See next comment.

Thank you for the input here. I will share these messages with our security team. Hopefully there is some middle ground that would be agreeable.

Ben

ref: IDEA-I-761

I would also like to voice support for allowing non-https url protocols. I would be completely happy with a compromise where by default urls not beginning with https were only copied as they are now, if there were either a checkbox in Advanced or Developer prefs to enable them, or even a non-GUI defaults write com.agilebits.onepasssword setting that we could manually enable. The ability to launch other apps from within 1Password entries can be very very useful.

I just realized that our team isn't on 1Password 8 yet on the desktop. If the ability to open fmp:// URLs goes away in 1Password 8, that's a major roadblock to us upgrading. If this is the case, we will likely stay on 1Password 7 as long it is supported. 😞

I get it, but this is super frustrating. It severely limits the usability for FileMaker developers, as the OP mentions with fmp:// URLs.

I wonder if you could consider having a permissions list of URL protocols? Give users (or admins) the power to restrict or enable different URL schemes/handlers? Thanks for considering.

Couldn’t 1Password ask for confirmation before opening the link?
I’m not sure I fully understand either. I’m not sure what kink of an attack could be crafted with a tembo2://activation?code=whatever or a hhgo://activation?code=whatever link.

Right now, 1Password 8 copies the links, then we need to go in Safari, paste and activate the link to get it to open in the corresponding app.
As a side note, Safari doesn’t seem to think it’s a security threat…

Corentin

Hi folks,

I spoke with our security team on this. I'm afraid I don't have the answer you were hoping for, but I do have an answer.

Restricting which URLs 1Password will open is an intentional limitation. We must not allow arbitrary protocol handlers, especially in a world with shared vaults, Psst!, etc. Unrestricted handlers could be exploited to enable one 1Password user to attack another. We should have limited it in the past, but we finally addressed it in v8.

There may be an argument to be made that we should allow more protocol handlers or change the rules based on personal/shared vaults, but at this point, it's pretty restricted to protect users. We'll continue to monitor the landscape and make adjustments as appropriate.

Ben