Filling password in Xero time-out login popup
The normal login screen for Xero plays nicely with 1Password, but after a certain amount of time (10 mins?) Xero throws a dark overlay across the screen, with a lightbox displaying a login window to resume. The lightbox asks "Hi, are you still there?" and contains just a Password entry field (no username). Triggering the 1Password login browser extension doesn't fill this field.
Any suggestions for what's needed to change this? Difficult for you guys to replicate if you don't have a Xero account.
1Password Version: 6.3.2
Extension Version: 4.5.9.90
OS Version: OS X 10.11.5
Sync Type: Dropbox
Comments
-
Hi @mattymcg
I don't have an account with this site so I can't test this myself. However, I would like you to try something. When this happens next time, save a new login manually. Give it a different name, like "Xero timeout" or something that will let you identify it. When you get the timeout message try using this new login.
Please let us know if you try this and how it works for you :chuffed:
0 -
Seems like sensible advice, but no dice I'm afraid. Selecting "Save new login" doesn't do anything. It doesn't prompt me to save the login, so I guess it doesn't detect that I've entered the password (I didn't hit Enter or click "Log in").
0 -
@mattymcg: Interesting. It sounds like we may have multiple problems then: filling and saving. If you press Enter or click "Log in", does 1Password detect it then? It should really be able to save it when you manually select "Save new login" too though, so if you'll let me know the URL, we'll investigate that. Thanks in advance! :)
0 -
If you press Enter or click "Log in", does 1Password detect it then?
No, it doesn't.
Sorry I can't give you a single URL. To witness the behaviour, you'll need to sign up to Xero (there's a 30-day free trial https://www.xero.com/au/signup/), login, then wait for it to timeout.
Thanks
Matt0 -
Hi @mattymcg,
Thank you for the link and making us aware of the ease with which we can create a test account. As long as I'm not asked to supply credit card details or pay for something I'll happily make a test account anywhere if it can help :smile:
I've created the account and I'm currently waiting for it to time out on me to see what we're looking at. I shall report back once I learn more.
0 -
I created a Xero test account but so far haven't been able to get the timeout to trigger despite leaving Xero open in its own window for more than a day. Is there some specific action that prompts for the password? I can imagine that some actions would not and others would, so having a more detailed set of steps could point us in the right direction.
0 -
Hmm that's strange. I work with Xero in a tab in Chrome, and it always times out after somewhere around 5-10 minutes.
Is it possible that being in its own window sends different information about whether the window has focus or not? Maybe try it in a tab? #clutchingatstraws
0 -
I'm leaving Xero (and another site I'm trying to test a similar problem on) open in Chrome and I'll give it a test this afternoon. That should be plenty of time to get them to time out. I'll let you know what I find. :)
0 -
I finally reproduced this, but I am sorry to say I don't have good news. The timeout password prompt is presented using an
<iframe>that is loaded via Javascript after the timeout. When I look in the Chrome Developer Tools, under Sources > Content Scripts, I only see 1Password injected into the top frame and not the new frame that is displayed for the timeout.I did notice that they are using the
srcdocattribute rather thansrcfor theiframe's content document. To be honest, I hadn't heard of thesrcdocattribute before today, so that was something new for me to learn. It's not clear to me why they would use this approach rather than just having a full pagedivwith the password prompt form in it. I'm not sure what they gain by using an iframe here… :(At first I wasn't sure if
srcdocvssrcwould prevent the content scripts from our extension from being injected into the page or if the fact that theiframeis added after the page has loaded causes Chrome not to inject the scripts, but I went to Apple's sign in page and removed their iframe and then added it back there with Javascript and thesrcattribute and it does seem that Chrome injected the content scripts like it should. So, it seems likesrcdocdoes not allow Chrome to inject the scripts like we expect it to. This makes sense because there is nosrcattribute to get a URL from to compare against the various URL patterns that extensions specify to target injecting their scripts into those frames.So, all of that is a long and very in-the-weeds kind of way of saying that it doesn't look like Chrome is injecting our scripts, so as far as 1Password is concerned, that password field doesn't even exist. Presumably other browsers will do this as well since they use the same kind of URL matching patterns for determining where to inject scripts.
I'm sorry I don't have a better answer for you right now. I will reach out to the Xero folks and see if there's some way we can work together to make this a better experience for all our mutual customers.
--
Jamie Phelps
Code Wrangler @ AgileBits0 -
Jamie, did you have any luck reaching out to Xero about this? I deal with this problem on a daily basis. :-/
0 -
Actually, @sthilaa, I haven't. I can try reaching out to them again, but for now, my previous reply is still the latest information I have on this issue.
0 -
This has also been an annoying issue for me for quite a while. Any progress with this?
Would also be helpful if a user (or at least the subscriber) could vary the time-out interval.
0 -
I'm sorry, but I still don't have any further feedback from Xero on this. If you want to point Xero customer support to this thread and ask for an update, I think that might be more useful coming from a real customer than from someone that set up an account as a trial to test this issue out. :(
--
Jamie Phelps
Code Wrangler @ AgileBits
Fort Worth, Texas0 -
I realize this thread is quite old at this point, but I have an update. I didn't hear back from Xero, but I am a customer and just found the re-auth password prompt up when I got back to my desk just now. To my delight, the password field filled. Upon inspection, it appears that Xero is no longer using the
srcdocattribute for this iframe, so 1Password is properly injected and can fill this password field. If you have any other issues with this or any other site, please start a new discussion, but I wanted to update this thread since I happened to notice the improved behavior.--
Jamie Phelps
Code Wrangler @ 1Password
Fort Worth, Texas0 -
Unfortunately, this does not work for me in Chrome on macOS (Mojave)
0 -
@danielharvey: Can you be more specific? What are the exact OS, 1Password, browser, and extension versions you're using, and what are the steps you're taking and the result?
0 -
@brenty, sure, sorry.
1Password 7
Version 7.2.4 (70204000)
AgileBits Store1Password extension
4.7.3.90macOS Mojave
10.14.3 (18D42)Chrome
Version 71.0.3578.98 (Official Build) (64-bit)Steps:
1. Wait until Xero times out and presents this overlay prompt:
2.
3. Select the 1Password hotkey
4. Select the Xero login entry and click fillThe password form is not filled.
Thanks! And let me know if you need more information.
0 -
Hi @danielharvey,
It looks like whatever Jamie found back in July is no longer the case. After getting to the point where I was presented with a re-authentication prompt I found it contained the original
srcdocattribute that was causing the original issue. Sadly Jamie's previous statement will now hold true once more. You will either need to copy and paste the password or use drag and drop, whichever you find more convenient. Sorry the news wasn't better.0 -
Thanks for the confirmation, I will submit a support request to Xero referencing this thread.
0 -
I was hoping I was missing something. Hopefully it can be improved. :(
0
