Some x-callback-URL love would be great

Implementing x-callback-url support by bringing in a 'Back to source app' button within the 1Password app, something the developer of Terminology app has done (who incidentally happens to be the inventor of x-callback-URL) with his app, would be great. This would remove all the minor hassles one assocoaites with juggling from 1Password to the source app. Please give it a thought.



  • MeganMegan

    Team Member

    Hi @arnabdas,

    Thanks so much for taking the time to write in with your suggestion! This is something that we are seriously investigating. As usual, I certainly can't make any promises: the trick here is finding a secure way to make this work for 1Password, but we'd love to be able to make 1Password a bit more efficient using a method like this. :)

  • May I try to fast-forward this investigation?

    Google Maps is an obvious reference for the way I believe 1Password should implement x-callback-url.

    Using the x-source parameter, the user has a reference of where he's going back to.

    Now let's consider a hack. User gets redirected from a Safari link to 1Password, he's silly and decides to copy the password and bounce back. First, unless the hacker built a whole scheme, there's no way he could identify for what service is the password for. On the other hand, apps could possibly handle your clipboard, however, it must be pasted somewhere. For example, an email or a message would demand the user to send the message still. This makes everything more difficult because the hacker still doesn't know your service.

    If he built an entire parade to steal your password, you'd still double press the Home button, pick your password in 1Password, double press again, return, paste it and send it. There's just no way a malicious user could abuse of x-callback-url in 1Password in means he couldn't be able to abuse already.

    As the main reason to purchase 1Password, in my opinion, is to add another level of security, I presume you have very smart customers who wouldn't be tricked like that. After all, they haven't until today at least (:

  • MeganMegan

    Team Member

    Hi Phillip,

    Thanks so much for adding your thoughts here! Since we're getting a bit technical with respect to security, I'm going to ask our security expert @jpgoldberg to weigh in here. He'll be able to discuss this a lot better than I :)

  • jpgoldbergjpgoldberg Agile Customer Care

    Team Member

    Thanks for the great suggestion, @arnabdas!

    At this point I am inclined to agree with Phillip that this sort of x-source callback would not present any new risk. Of, as those who've been around these forums for a while will know, we can't make any promises about new features.


    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits

  • Glad to know you agree with me, Jeffrey.

    When it comes to implement x-callback, I don't know the documentation very well, but you can always talk to Greg Pierce from Agile Tortoise to make the x-source parameter obligatory when the user creates an action using x-callback-url.

    I hope to see this feature someday, but right now I'm happy to learn we're on the same page on the subject.

This discussion has been closed.