1Password Browser Extension Code Injection
Any Engineer at @1Password here? Your Chrome Extension seems to recently started breaking HTML from certain pages. For example, the Node.js website code snippets break when 1Password Extension is enabled.
1Password browser extension is injecting Prism.js globally on every page, which then applies its syntax highlighting logic on all
<code>blocks matching[lang=*]regardless of whether it’s meant to be compatible, thus breaking original highlighting.
As I’ve said, I dislike this whole architecture where you need a browser extension that can read and write to the page in order to enter your password. I would hope that as little code as possible is injected and that it’s all been vetted by 1Password, not just pulled down as a dependency.
We’re aware of an issue in recent versions of the 1Password browser extension that can interfere with syntax highlighting on some pages.
The team is actively working on a fix. We don’t have a timeline to share yet, but keeping the extension up to date will ensure you receive it once it’s available.
Sorry this bug slipped through our release process. I just raised this issue again in our internal Slack. We are working on getting a fix out.
[…]
The fix has already been merged into our main branch. We’ll be putting out a release with just this fix. I’m hoping to have it submitted to the browser extension stores today [December 30].
It’s unclear to me whether this is fixed. The latest Mac version still seems to be 8.11.22 from December 9. When I go to the page for the browser extension and click “what’s new” it takes me here, which is a release from December 30 that talks about passkeys and then says only:
We’ve made general improvements and fixed various bugs for a better 1Password experience.
I don’t see anything on the announcements page or Twitter.
I’m glad @1Password is taking this seriously now. But this issue was reported on their community forum and to their engineers weeks ago in beta and was not prioritized as a fix until it went viral here. Every company is guilty of this kind of triage, but this is a process failure as much as it is a testing one.
really hoping to read a postmortem on this one
Previously:
- Password Manager Browser Extension Clickjacking
- 1Password to Add Telemetry
- 1Password 8 for Mac
- iOS Safari Extension: 1Password
- Safari 13 and Extensions
Update (2026-01-08): Paulo Andrade:
One more reason for dumb extensions. Secrets extension doesn’t do anything to the page before it’s summoned. And even after that, it doesn’t change the DOM in any way (asides from filling input fields).
VS:
Apple does make autofill API available… it’s entirely 1P’s choice to not use it.
I’d say the API is the preferred way. It works fine, and also works on other native apps.
6 Comments RSS · Twitter · Mastodon
> this whole architecture where you need a browser extension that can read and write to the page in order to enter your password
This is a choice by 1Password, they use the system API on iOS that doesn't require injecting a script and supports autofill in native apps, but haven't adopted it on MacOS.
https://developer.apple.com/documentation/AuthenticationServices
Autofill APIs in general and corporate support for them is a perfect example of why this anarchic internet system barely works.
The browser makers/platform owners/gatekeepers do not want autofill interoperability. They want you to store all your most important identities inside their system and their system only, so that the average user has an insurmountable barrier to leaving.
They don't want autofill to work the way users want it, they want it to work the way they want it.
So as usual the only technical solution is to use the one with the most read/write privileges at the lowest level to get around this purposeful enshittification.
@VS Technically true, but @bart is talking about the API provided. Strongbox is a terrific app, the more so for using that API, but its autofill support on Safari will accordingly be mediocre for the foreseeable, until Apple improves it. The choice is therefore between functionality that works more-or-less as most people would expect a decent password manager extension to work, and functionality that's acceptable but not great but at least it doesn't have the attack surface of JS inlining and allows autofill from Apple's Keychain as well as other apps.
To be sure, I don't have answers. I only say that I have to open the Strongbox app up more often to copy-paste than I had to under 1Password when I used that. It is clear why they are doing this.
Don't forget that they published they would support the system auto-fill when it was announced: https://1password.com/blog/autofill-on-big-sur
I see they have now added an "update" since they went back on this and didn't implement it.
@Sebby yes thank you that is what I meant. And further that Google and Microsoft also have no incentive to properly support the even mediocre built in API. Google, Apple, and Microsoft all want identities stored within their systems and so force people who know better to use workarounds, while forcing the average user into their preferred flow.
Which is why I called it enshittification because it is deliberately designed in the corporation’s favor instead of the user’s in every case.
