Possible Safari plugin bug - canceling at unsecured login error still fills and sends form.

heyandy
heyandy
Community Member
in Mac

I'm running macOS 10.10.1, Safari 8.0.2, and 1P plugin 4.2.5.

Browsing bhphotovideo.com and attempting to login to the site from a product page (not the home page) brings up a modal login form that when I ask 1P to autofill, 1P gives an error dialog explaining that the page is not secure with options to continue or cancel. When I click "cancel", the form is filled and sent. I have confirmed this behavior for this specific site, but haven't tried to find and test any similar pages.

Glad to provide more info if needed. Please let me know if I've made a mistake or otherwise mis-diagnosed the problem.

-Andy

Comments

  • littlebobbytables
    littlebobbytables
    1Password Alumni

    Hi @heyandy,

    When I created a test Login item for the site the Saving a Login Manually steps resulted in a Login item with two website fields:

    1. http://www.bhphotovideo.com/
    2. https://secure.bhphotovideo.com/find/loginIframe.jsp?referer=http://www.bhphotovideo.com/&isLoginOnly=Y&via=iframe

    How does this compare to yours? I suspect you only have the latter, number 2. or the ordering is the opposite for you.

    We are definitely have difficulties with the site but I do at least think I understand what is happening when you click on cancel. Our extension is having trouble with focus, a lot of trouble and it's in both the stable and beta so thank you for reporting this to us. Even after you've brought up the modal login the extension is trying to fill in all sorts of fields on the page rather than focussing on the actual login window. So if you don't have website 1. or the ordering is the other way round it rightfully points out that it believes it should be a secure page and not using http. When you click cancel it then proceeds to fill on the actual secure page, the login window.

    So I don't believe it is sending your login credentials to an insecure page but there is a whole load of mess there for us to start sifting through.

    So as long as you click cancel it isn't filling in fields on the insecure product page but there is the question of why cancel isn't cancelling completely and the compatibility issue.

    If you have any questions following that, and I don't blame you if you do, then please do ask away :smile:

This discussion has been closed.