Browser extension: Couldn’t connect to 1Password

BenjaminVanRyseghem
BenjaminVanRyseghem
Community Member

Hi, I am using the latest Chromium (60.0.3112.101), and the latest 1password (Version 6.8.1 (681006)), and since a couple of weeks, it seems that the connection between Chromium and 1p mini is difficult.

It sometimes works, and everything is fine for days, then suddenly, the connection can't be made, and I can't find a way to work around it (uninstalling/reinstalling the extension, rebooting Chromium, rebooting my Mac Book Pro ...)

I tried the Troubleshooting app, and turned off Little Snitch, removed ABP, but even there it fails (and it was working perfectly before)

Here is the 1p mini log if it helps:

Sat Aug 26 23:39:11 2017| 681006 [HELPER:(Main Thread):] S toggleStatusItem: | Activating mini popup
Sat Aug 26 23:39:17 2017| 681006 [HELPER:(Main Thread):] M applicationWillFinishLaunching: | Starting 1Password mini 6.8.1 #681006 built Aug 23 2017 10:33:09
Sat Aug 26 23:39:17 2017| 681006 [HELPER:(Main Thread):] M applicationDidFinishLaunching: | Starting 1Password mini 6.8.1 #681006 built Aug 23 2017 10:33:09. Running from: /Applications/1Password 6.app/Contents/Library/LoginItems/2BUA8C4S2C.com.agilebits.onepassword4-helper.app
Sat Aug 26 23:39:17 2017| 681006 [DATABASE:(Main Thread):] S openDatabaseWithError: | SQLite Version: 3.8.10.2
Sat Aug 26 23:39:17 2017| 681006 [DATABASE:(Secondary Thread 0x7fd090c9c4d0):] S openDatabaseWithError: | SQLite Version: 3.8.10.2
Sat Aug 26 23:39:17 2017| 681006 [HELPER:(Secondary Thread 0x7fd090f58910):] S activeProfileWillChangeNotification: | Enabling reauth requests for all accounts.
Sat Aug 26 23:39:17 2017| 681006 [HELPER:(Secondary Thread 0x7fd090c9f160):] S b5DatabaseIsReady | B5 Database opened successfully!
Sat Aug 26 23:39:17 2017| 681006 [DATABASE:(Secondary Thread 0x7fd090c9f160):] S openDatabaseWithError: | SQLite Version: 3.8.10.2
Sat Aug 26 23:39:17 2017| 681006 [XPC:(Secondary Thread 0x7fd090c9f160):] S start | Starting XPC Server
Sat Aug 26 23:39:17 2017| 681006 [EXT:(Main Thread):] M start | [ES3] Starting JSE server on port 6258
Sat Aug 26 23:39:17 2017| 681006 [EXT:(Main Thread):] M start | [ES4] Starting JSE server on port 6263
Sat Aug 26 23:39:17 2017| 681006 [XPC:(Secondary Thread 0x7fd090e76710):] S listener:shouldAcceptNewConnection: | connection accepted
Sat Aug 26 23:39:17 2017| 681006 [EXT:(Secondary Thread 0x7fd090e76710):] S hostDidConnectWithXPCConnection: | NativeMessageHost Connected: connection from pid 6704
Sat Aug 26 23:39:17 2017| 681006 [EXT:(Secondary Thread 0x7fd090e76710):] S sendAction:payload: | [ES4 0x7fd090f931d0] sendAction: 'authBegin'
Sat Aug 26 23:39:17 2017| 681006 [EXT:(Secondary Thread 0x7fd090e76710):] S sendAction:payload: | [ES4 0x7fd090f931d0] sendAction: 'authContinue'
Sat Aug 26 23:39:17 2017| 681006 [EXT:(Secondary Thread 0x7fd090cc55c0):] S sendWelcome | Welcoming version 4.6.7 of (null).
Sat Aug 26 23:39:17 2017| 681006 [EXT:(Secondary Thread 0x7fd090cc55c0):] S sendAction:payload: | [ES4 0x7fd090f931d0] sendAction: 'welcome'
Sat Aug 26 23:39:19 2017| 681006 [XPC:(Secondary Thread 0x7fd090e76710):] E selectAllObjectsForProfileUUID:reply: | Invalid request. Profile is locked
Sat Aug 26 23:39:19 2017| 681006 [EXT:(Secondary Thread 0x7fd090c9f160):] M webSocketForURI: | [ES4] Extension connected Chrome-Extension 'chrome-extension://aomjjhallfgjeglblehebfpbcfeobpgk / (null)'
Sat Aug 26 23:39:19 2017| 681006 [EXT:(Secondary Thread 0x7fd090e76710):] S didOpen | [ES4 0x7fd090f596b0] Connected 'chrome-extension://aomjjhallfgjeglblehebfpbcfeobpgk:50640'
Sat Aug 26 23:39:20 2017| 681006 [EXT:(Secondary Thread 0x7fd090c9f160):] S findExtensionProcessForPort: | [ES4 0x7fd090f596b0] Connected chrome-extension://aomjjhallfgjeglblehebfpbcfeobpgk:50640: launched 2017-08-26 21:23:43 +0000
Sat Aug 26 23:39:20 2017| 681006 [EXT:(Secondary Thread 0x7fd090c9f160):] E findExtensionProcessForPort: | Stopping connection since no we no longer accept connections over websockets for this type of client.


1Password Version: 1Password 6 Version 6.8.1 (681006) AgileBits Store
Extension Version: 4.6.10.90
OS Version: 10.11.6
Sync Type: Not Provided

Comments

  • Hi @BenjaminVanRyseghem,

    I'm sorry that this hasn't been working perfectly for you. We're in a bit of a transition period with how web browsers are communicating with apps, and things are still bumpier than we'd like them to be.

    Based on the logs you're showing, it looks like the 1Password extension in Chromium is attempting to connect to 1Password via the old Websockets method as a fallback. The 1Password app knows that the Chrome extension should support Native Messaging and so it's rejecting the connection when it tries to connect via websockets.

    I'm not super familiar with what conditions could cause the browser extension to fallback to websocket connections, so I'm going to ask people who are more familiar with all of this to try to get you a better answer.

    Rick

  • AGAlumB
    AGAlumB
    1Password Alumni

    @BenjaminVanRyseghem: The only thing I can think of that would allow this to work some of the time is that you have multiple copies of 1Password, and an older one (using the legacy WebSockets communication) is being launched at times by macOS. There's a lot packed into that statement, so I'll explain.

    1Password uses Native Messaging and connects to known, supported browsers. This is enforced by code signature verification, which 1Password checks before connecting and sending any data. Chromium, not being signed, will always fail this check. In the past it could work with WebSockets if you manually disabled the check, but this does not work with Native Messaging. I'd recommend using Vivaldi or Brave (as alternatives to Chrome, if you don't want to use that) since both are supported and signed so that 1Password can know it isn't sending your sensitive data to just any app (being unsigned, anything could pose as Chromium).

    Also, definitely do a Spotlight search on your Mac to make sure you don't have extra copies of 1Password hanging around, since that can cause some trouble for you if macOS launches the wrong one. I hope this helps clear up this mysterious behaviour. Be sure to let me know if you have any other questions! :)

  • jxpx777
    jxpx777
    1Password Alumni

    To add on to what Brenty and Rick both said, @BenjaminVanRyseghem, I'll say that going forward, we are not going to allow disabling of code signature verification. This was necessary in the past for a few reasons, mostly concerning proxy software and other security tools that could prevent 1Password from properly locating a legitimate, signed browser. Now that we have native messaging, the connection from the browser to 1Password isn't subject to the vagaries of the network environment, so we can be more stringent in our requirements that the browser connecting be codesigned.

    Right now, this limits connections to browsers that 1Password has hardcoded support for. In the future, we want to make it possible to include other browsers at the user's choosing, but there are a lot of other items on our plate to address first and we're not sure when we might be able to tackle that. If we allow unsigned browsers such as Chromium to connect to 1Password (and that is a big if to be frank), the experience will never be as smooth as for signed browsers.

    I wrote a fairly lengthy reply about this question a while back to discuss why we don't recommend using Chromium and to suggest some alternatives instead. I'd love to hear your reasoning for using Chromium in case there is a use case we haven't thoroughly considered. But really, using Chromium involves a lot more work to stay up to date and carries with it a lot more risk since there is no code signing and no published hashes of the executable for you to verify independently, so I would think those reasons would have to be very strong in order to take on those downsides.

    I hope this helps. Let us know if you have other questions.

    --
    Jamie Phelps
    Code Wrangler @ AgileBits
    Fort Worth, Texas

  • BenjaminVanRyseghem
    BenjaminVanRyseghem
    Community Member

    Vivaldy seems closed source, and Brave lacks plugins (to say the least)

    So I think I will keep having a broken stack for now, or switch to FF

  • jxpx777
    jxpx777
    1Password Alumni

    Yah, Brave takes a different approach to extensions where they basically have a whitelist of them. I think I heard rumblings that they were considering something a bit more promiscuous, but I don't know for sure. Worth asking in their community forum though!

  • BenjaminVanRyseghem
    BenjaminVanRyseghem
    Community Member

    I am still confused why sometimes it works sometimes it doesn't? (I double check, I only have one version of 1p)

    I think Brave will support the new FireFox universal plugin architecture so hopefully a lot of plugins are gonna crash there.

    Testing FF Nightly in the meantime

  • Firefox Nightly has been my choice of browser as of late. If we can be of further assistance, please don't hesitate to contact us.

    Ben

This discussion has been closed.