Ghost icon indicating copy to clipboard operation
Ghost copied to clipboard

Published 20 hours ago verified publisher icon TryGhost

1Password can't autofill Ghost.io logins

Open nk9 opened this issue 1 year ago • 20 comments

Issue Summary

Users cannot use a saved email or password on Ghost.io sites with 1Password. I've reproduced this on Firefox and Chrome with the 1Password browser plugin, and also iOS. It probably doesn't work with any password manager, given the reason for the bug, but I've only tested 1Password.

The problem is that the login form is shown to the user in an anonymous (domain-less) iframe. You can read more about how I worked out what the problem was with Ghost in this thread, and more about the technical specifics of the about:srcdoc issue in this other thread.

Suffice it to say, password managers are not able to determine the domain of the page hosting the form when that page is generated dynamically and set inside an anonymous iframe. Because one of the important goals of password managers is to prevent phishing, they are very particular about ensuring that they only suggest an item for completion when the domain of the page matches the saved domain. Since the login forms in Ghost are all hosted inside these anonymous frames, there is no domain, just about:srcdoc. In the case of desktop browsers, 1Password does use the domain in the URL bar to look for possible matches. But it still won't allow you to auto-fill into an anonymous iframe for the phishing reason described above.

It seems like the solution to this will have to involve either loading actual pages with a URL into the iframe, or else dispensing with the iframe entirely and just overlaying the form with JS/CSS.

The code which generates this page is probably here, although there are a couple of places which seem to generate anonymous iframes, so I'm not exactly sure which one is used by the login form(s).

Steps to Reproduce

  1. Create a Ghost.io login in your password manager. Set the email and password. Ensure that it's tied to the domain used by your Ghost.io site.
  2. Visit the Ghost.io site and attempt to auto-fill the username (email) and password.
  3. Notice that you can't autofill them. On iOS, it doesn't even find the correct item.

Ghost Version

5.50.2? whatever version is live on ghost.io

Node.js Version

0

How did you install Ghost?

Hosted by ghost.io

Database type

Other

Browser & OS version

Mac: Chrome, Firefox; iOS: Safari

Relevant log / error output

No response

Code of Conduct

  • [X] I agree to be friendly and polite to people in this repository

nk9 avatar Jun 07 '23 14:06 nk9