1Password extension may be blocked there’s a Content-Security-Policy (CSP) header

natevancouver

Bug report

For login pages served with a Content-Security-Policy header, 1Password cannot fill in the password unless the CSP specifies style-src 'unsafe-inline'. The error message is:

Refused to execute inline script because it violates the following Content Security Policy directive: "style-src 'self'"

The last part of the error message, where it says 'self', may have additional sources, but unless one of them is 'unsafe-inline', 1Password won’t work. You normally try to avoid the “unsafe-” directives when writing a CSP-aware web app.

So far I don’t know of any public sites that do this, but we have internal sites where it happens. CSP has only recently been stable enough to use. I expect to see more CSP-enabled sites soon.

According to the Wikipedia article on CSP there’s supposed to be an exemption for browser add-ons. But the error occurs for me in all major browsers:

• Safari 7.0 (9537.71): Reports the error shown above
• Chrome (31.0.1650.63): Reports the error shown above
• Firefox 26.0: No error message that I can see, but 1Password does nothing unless style-src unsafe-inline is added.

Version: 4.0.8 (408001) (Mac App Store)
OS X 10.9

Ref: https://developer.mozilla.org/en-US/docs/Security/CSP/Introducing_Content_Security_Policy

Regards,
Nate

sjk

Hi, Nate ( @natevancouver ).

Thank you for bringing this bug to our attention and your thorough report of it. I've filed a corresponding bug report in our tracker for it.

Edit: If possible, could you please try testing there with Animate form filling under Preferences > Browser disabled and let me know if that helps? Thanks!