Local file restrictions with 1password using html files with file:/// using Firefox

Help us help you!

  • I’m using 1Password version #: 4.5.0.572
  • On a (Mac/PC/iOS/Android): Windows 8
  • Syncing with other devices (list them): dropbox & android, but the issue doesn't affect these

I have a need to run an html file from local file system (file:///), and use firefox. I control the HTML code and and can modify it anyway I want. I currently call the file://xxx.htm code using username/password from 1password like this: file://xxx.html?user=xxx&pass=yyy

Note that I have code in the HTML file that clears the URL address window so no one can see these password once the HTML is run by 1password.

But what I'd like to do is create a form for uid/psd so that 1password can insert the username/password, just like http:// files (although the way I'm doing it now works great). But it doesn't work and your forum says that firefox won't allow it. Two solutions I see (although as I say, the way I have it now does work).

  1. Figure out what the restriction is for firebox and explore workarounds (I don't know what exactly the problem is that are you are experiencing with firebox so I can google it).

  2. Have 1password support token substitution, such as file://xxx.html?user=%USERNAME%&pass=%PASSWORD. In this latter case, 1password would detect the tokens and perform a substitution from the username/password fields in 1password to the URL before passing it to the browser.

Since 2 doesn't work, I thought I'd explore 1 more.. if you can tell me what the problem is with firebox in some way I can google. You might consider adding option 2.. it can be secure with a few lines of javascript.

Thank you
Bill

Comments

  • svondutch
    svondutch
    1Password Alumni
    edited May 2015

    While I wouldn't recommand passing a plain-text password as an argument to an URL, I believe 1Password can potentially support option #2. We're currently supporting these tokens:

    {USERNAME}
    {PASSWORD}

    Up until now, 1Password replaces these tokens in cmd:\\ URIs only. I think I can turn this feature on for file:\\ URIs. But I'm hesitant. Passing a plain-text password to an application as a command-line argument is less risky than passing it to a web browser as an URL argument.

  • Hi @BillSabatine,

    The best way you can do this now is run a simple web server on your machine to serve these html files and you can open it in Firefox it via http://, which the 1Password extension will work on.

    But it doesn't work and your forum says that firefox won't allow it.

    I'm not sure what you mean by this. Can you provide the links where we talked about Firefox not allowing this?

    Figure out what the restriction is for firebox and explore workarounds (I don't know what exactly the problem is that are you are experiencing with firebox so I can google it).

    It sounds like maybe you're talking about 1PasswordAnywhere, this is because it has a few .js (javascript) files stored externally and Firefox doesn't have a workaround to allow local Javascript files to run. This is a major security benefit for their users, not allowing infected local Javascript files to run helps prevent the escalation of these infections.

    Chrome does have a workaround (--allow-file-access-from-files) as explained here: https://support.1password.com/1passwordanywhere-local-file-restrictions/

    However, even with allowing Chrome to run local javascript files, I am not sure how 1Password is involved in this scenario.

    You need 1Password extension to request the decrypted forms of your data from your vault file. Right now, 1Password extension only reacts when the site is loaded via http:// and https:// because we must tell Firefox and other browsers the scope of our extension scripts; basically where it can be loaded.

    Currently, the extension does not support file:// and we do not know for sure yet that any browsers allow this. We'll investigate this but it is not a high priority for us as file:// is not a good idea to use in terms of the security risks.

    Again, you can work around this by running a lightweight web server on your computer to switch it from file:// to http://.

    Have 1password support token substitution, such as file://xxx.html?user=%USERNAME%&pass=%PASSWORD. In this latter case, 1password would detect the tokens and perform a substitution from the username/password fields in 1password to the URL before passing it to the browser.

    We will consider this in the future but we have no timeframe for this. You've requested this a few times before in the other two threads you created (1, 2),

    it can be secure with a few lines of javascript.

    Except we're not using Javascript, the 1Password program or 1Password Helper program has to natively decrypt your data first, then replace the tokens before it finally passes the URL with the username/password included to the browser.

This discussion has been closed.