1Password appending `?onepasswdfill=....` to some URLs

jimgarrison
jimgarrison
Community Member
edited May 2018 in 1Password 4 for Windows

1Password 4.6.2.626, just saw this for the first time.

Normally, when I click on a URL in the 1Password window it just launches a new tab in Firefox with exactly the URL from 1Password.

When the URL is https://minecraft.net/ (with or without the trailing slash) it appends ?onepasswdfill=HEXCHARACTERS... causing the site to respond with (in this case) a 403 error.

I have auto-submit turned off, and cannot find any preference related to this. Also, I DO NOT have the Firefox extension installed. I don't want 1Password to enter any information for me, I want to retain complete control of all data transfer between 1Password and my browser.


1Password Version: 4.6.2.626
Extension Version: N/A
OS Version: Win7x64 Pro
Sync Type: Dropbox

Comments

  • gazu
    gazu
    Community Member

    There isn't an option to do this.

    Your only solution is not to store the URL in 1Password.

  • Greg
    Greg
    1Password Alumni

    Hi there @jimgarrison,

    Thank you for getting in touch!

    First of all, could you please share why you are using 1Password in such way? The beauty of 1Password is in filling your credentials in the browser, so I am really curious to find out more about the way you are using 1Password on your computer.

    Secondly, please check if you have Submit enabled for your Minecraft.net Login item:

    Does the issue remain with this item only? Please let me know. Thanks! :+1:

    ++
    Greg

  • jimgarrison
    jimgarrison
    Community Member

    @Greg

    I do not want 1Password pasting anything automatically, I want to retain control of where my passwords are copied to. This is basic security self-defense against something unexpected happening.

    The issue happens only with this one particular entry/URL

    I changed from "If auto-submit is ON" to "Never" and it still happens

    I also disabled "Display in web browser" and that had no effect either.

  • AGAlumB
    AGAlumB
    1Password Alumni

    I do not want 1Password pasting anything automatically, I want to retain control of where my passwords are copied to. This is basic security self-defense against something unexpected happening.

    @jimgarrison: Right, that's why 1Password doesn't paste anything (you would have to explicitly copy and paste something yourself), and it only ever fills when and where you tell it to.

    The issue happens only with this one particular entry/URL I changed from "If auto-submit is ON" to "Never" and it still happens

    The problem you're having is that, since there is no 1Password extension installed in the browser, there is nothing there to accept 1Password's extension command, and then the browser opens the full URL including the UUID meant for the extension. Opening a URL using 1Password is designed to Open and Fill login credentials on that page. If you don't want that behaviour, don't have 1Password open the page for you; do it yourself. I hope this helps. Be sure to let me know if you have any other questions! :)

  • jimgarrison
    jimgarrison
    Community Member

    Well, this does not happen with ANY other entries, and I have several hundred entries and use 1Password maybe half a dozen times a day. I always launch URLs from 1Password and this is the only one that displays this behavior.

  • Greg
    Greg
    1Password Alumni

    Hi @jimgarrison,

    This is quite strange. If you save another Login item for this website manually, does the issue remain with it? Please let us know.

    Thanks! :+1:

    ++
    Greg

  • jimgarrison
    jimgarrison
    Community Member

    It appears the onepasswdfill parameter is being added to all URLs launched from within 1Password.

    This is just the first time I've encountered a site where that causes the site to return an error.

    How do I disable this behavior? I want the convenience of launching the site but do not want the onepaasswdfill parameter added.

  • Greg
    Greg
    1Password Alumni

    Hi @jimgarrison,

    Opening a URL using 1Password is designed to Open and Fill login credentials on that page. As Brenty mentioned above, if you don't want this to happen, you can open the website in the browser and then copy/paste your credentials from 1Password. However, I would recommend you to use 1Password extension in order to fill your credentials:

    Use the 1Password extension to save and fill passwords on your Windows PC

    Please note that 1Password does not paste anything for you automatically, it only ever fills when and where you tell it to. You can learn more about this behaviour in this post in our blog:

    1Password keeps you safe by keeping you in the loop

    I hope it helps. Let us know if you have any other questions, we will be happy to help. Thank you!

    Cheers,
    Greg

  • jimgarrison
    jimgarrison
    Community Member

    Why is it hard for you to understand "don't append onepasswdfill to my URL"? Is that so hard to do? I don't want ANY automation of any kind between 1Password and the browser. That should be an option in any security-related program.

    If I choose not to install the browser extension (and 1Password is aware that is my preference) it should not add the parameter to the URL.

  • MikeT
    edited May 2018

    Hi @jimgarrison,

    We'll look into adding a feature to prevent any type of automation with the browsers, we don't have one right now.

    If I choose not to install the browser extension (and 1Password is aware that is my preference) it should not add the parameter to the URL.

    Unfortunately, the preferences you speak of simply modifies how 1Password extension behaves, it does not disable the integration. We'll look at adding one that simply turns off everything.

  • BodyulCG
    BodyulCG
    Community Member

    Hello,
    I am a new user of 1Password, and I also noticed this GET parameters in url, and google brought me to this topic. I see that more than a year has passed since the last message, so I wanted to ask, can this be disabled now?

  • Hi @BodyulCG

    If you use the "Go & Fill" feature in 1Password (by clicking on a URL within the app / browser extension) then 1Password will append the necessary information for that feature to function to the URL. There is no way to disable that. The only workaround would be to not use Go & Fill.

    Ben

This discussion has been closed.