Why was auto-submit removed? [Intentional; auto-submit not returning]

AGAlumB

@Mayben: Ah, sorry about that. Indeed, it's come up a few times. :)

jasonpress

No, changes by Apple have removed this possibility in Safari (I think it was the update to Safari 12). You will just have to get used to pressing Return in Safari, or else use Firefox or Chrome.

@danco, from this comment, it sounds like auto-submit should work in Chrome. However, after updating from High Sierra to Mojave (10.14.1) yesterday, I have been unable to confirm this. Am I misunderstanding this post or should auto-submit work in Chrome?

Lars

@jasonpress - we removed auto-submit entirely in 1Password 7 for Mac due to the changes that were made by Apple. We might have been able to find some sort of work-around for other browsers such as Chrome or Firefox, but rather than attempting to DIY a solution that went against the expressed intention of the OS developer (Apple), we chose to respect it (because we agree with it), and let auto-submit sunset everywhere in 1Password for Mac.

Yes, this means users everywhere (including us) are going to have to once more get used to pressing "return" with our fingers, just as we do dozens if not hundreds of times a day in other circumstances, typically. But we felt it was a small price to pay for increased overall security and dependability of the process. In previous versions of 1Password, when auto-submit was still enabled, here's what was automated by 1Password. Double-clicking a Login item in the main window of 1Password resulted in:

1. Launching your default browser, if it was not already launched
2. Opening the URL of the login page you double-clicked
3. Filling in your saved credentials
4. Pressing return to (hopefully) submit the form.

When this process worked, it was slick enough that it almost seemed like magic. But it didn't work on every login page, and when auto-submit failed due to the design of the login page a user visited, it caused confusion and trouble for users.

In its current iteration (without auto-submit), all of those things still happen...except for #4, meaning that the vast majority of the work - launching the browser, switching to the browser, entering the URL, pressing return, filling in credentials - still takes place with one simple double-click. Only pressing return manually (or using the mouse to click "submit" or "login" remains). This actually gives you the user the chance to observe the filling before submitting, to make sure there weren't any errors there.

jasonpress

@Lars - Understood. Thank you for the detailed explanation.

Lars

@jasonpress - you're quite welcome! Glad I was able to clarify. :)

AGAlumB

this means users everywhere (including us) are going to have to once more get used to pressing "return" with our fingers

I do, however, sometimes press Return with my nose. Just for fun. Much easier than using it to navigate on an Apple Watch (though it can be done). True story. 👃👍

shipandlake

Lack of auto-submit really messes up flow with single-time passwords. In the past submit and copying of the STP to clipboard happened automatically, now if you delay submission getting a new token is harder. Are there any plans to improve this?

Lars

@shipandlake - I'm not quite clear what you'd like us to improve? The recommended step is to press return/enter as soon as filling is completed. If you choose not to do that, you would definitely need a new TOTP code. Seems pretty easy to avoid, however: just press return after filling, instead of waiting.

AGAlumB

@shipandlake: Just to clarify, the TOTP code is copied to the clipboard immediately upon filling the Login, and you've got at least a full minute to paste them before it's cleared (might be a minute and a half; I don't recall at the moment). Generally I don't find that it takes me that long to find the Return key...but when I do get distracted, pressing ⌘ \ again will result in the TOTP code being copied -- and actually nowadays 1Password for Mac can even fill the TOTP code into the web page directly in most cases. Not something that's well-known, as it's a fairly recent addition and most people are used to using the clipboard. Perhaps that will help you though. :)

josenphd

Folks, in many login pages pressing ‘return’ accomplishes absolutely nothing. Either that or my return key is broken. So all 1P is fill blanks... no different that the same annoying behavior in iOS. I have to use my mouse to go ...click...; What you have done is make the process more manual for me.

Thus, short of being a database to keep passwords and other “convenient” data that will not populate anyway, the software does nothing special, nothing useful except remember data. I left Lastpass for 1P because 1P was more convenient, had more convenient features, and had a better UI. Aside from that, now you keep stripping functionalities that makes your product “yet another one.”

Give me reasons to stay with 1P. I can find none.

J

AGAlumB

Folks, in many login pages pressing ‘return’ accomplishes absolutely nothing. Either that or my return key is broken. So all 1P is fill blanks... no different that the same annoying behavior in iOS. I have to use my mouse to go ...click...; What you have done is make the process more manual for me.

@josenphd: It's been a long time since I encountered a website that was -- as far as I'm concerned, from a web standards perspective --broken in such a way as to prevent the Return/Enter key from submitting the form. I can't guarantee anything, but if you'll give me the URLs and versions you're using (OS, 1Password, browser, and extension) I'll be happy to look into it to see if there's a workaround.

Thus, short of being a database to keep passwords and other “convenient” data that will not populate anyway,

Wait, are you also unable to fill login credentials using 1Password? That's very different from what's being discussed here, but I'll be happy to help if I can. I will need the details I requested above though.

the software does nothing special, nothing useful except remember data. I left Lastpass for 1P because 1P was more convenient, had more convenient features, and had a better UI. Aside from that, now you keep stripping functionalities that makes your product “yet another one.” Give me reasons to stay with 1P. I can find none.

Security, privacy, support, design... I could go on, and I'll be happy to elaborate on any of those, but I'm not sure how deep you want to go here. For me personally, having a safe place to store sensitive information, an easy way to access and use it across all my devices, and not having to worry about any of it being misused or misappropriated in any way is worth it. Your mileage may vary, depending on what you value though.

josenphd

Brenty,

You ought to be kidding. If you have not seen a site that does not take the return key. You want a list?

bbt.com
ember.com
schwab.com
pnc.com

and so on. Notice that all are financial institutions. So if you don't do online banking, I guess 1P is just dandy the way it was disabled. But right now I'm having to move my mouse to the "submit" (or equivalent) button for the site to take the data 1P entered.

So, as I say, 1P has been crippled. You may say it is because of security all you want; all I know is that you don't cure the disease by killing the patient. You should had found another solution that did not take away functionality.

And that's all I have to say on this topic. Cheers to all.

Jose

AGAlumB

You ought to be kidding. If you have not seen a site that does not take the return key.

@josenphd: That isn't what I said. ;) Read it again:

It's been a long time since I encountered a website that was -- as far as I'm concerned, from a web standards perspective --broken in such a way as to prevent the Return/Enter key from submitting the form.

Sorry if I wasn't clear enough there.

You want a list?

Yes, actually:

if you'll give me the URLs and versions you're using (OS, 1Password, browser, and extension) I'll be happy to look into it to see if there's a workaround.

Thank you! It would have been helpful if you included the other information I requested, but I tested these with my current setup:

bbt.com

I was able to save and fill a new login here using 1Password. Pressing Return/Enter after filling submitted the form.

ember.com

I don't see a login form here at all.

schwab.com

I actually have a few Schwab accounts, and haven't encountered difficulty using Return/Enter to submit the form. They do have multiple login portals though, so maybe using a different one would help. Like this: https://www.schwab.com/public/schwab/nn/login/login.html&lang=en

pnc.com

I was able to save and fill a new login here using 1Password. Pressing Return/Enter after filling submitted the form. Again. So I'm wondering if there's something different about your setup, or the specific steps you're taking.

and so on. Notice that all are financial institutions. So if you don't do online banking, I guess 1P is just dandy the way it was disabled. But right now I'm having to move my mouse to the "submit" (or equivalent) button for the site to take the data 1P entered So, as I say, 1P has been crippled.

No, and that's a pretty inappropriate thing to say. Please keep that sort of talk to yourself in the future. I am sorry if you had difficulty moving your mouse though. If you can provide more details about your situation, I suspect we can find a solution though, since it seems to be working here.

You may say it is because of security all you want; all I know is that you don't cure the disease by killing the patient.

Also a terribly insensitive attempt at a metaphor. I'm guessing you wouldn't be talking like this if you had anyone you cared about with medical issues.

You should had found another solution that did not take away functionality.

In case you missed it, Lars already explained earlier in this discussion why we're not going to do that:

Apple's intention has clearly been to remove this ability for security reasons, and given that plus the fact that auto-submit was essentially a hack in macOS (simulating a key-press, which worked great when it worked at all, but which didn't work at all a not-inconsiderable portion of the time) we felt it was time to respect the conventions of the platform and the clear direction of its developer, rather than look for ways to get around them to retain/renew/refresh this feature.

Something to consider.

And that's all I have to say on this topic. Cheers to all.

Okay, Jose. Take care.

hthought

Has anybody discovered a DIY mechanism for auto-submission ? It's extremely unsettling that 1Password7 stopped doing it in Mojave. Autofill and autosubmit are easily the top 2 features of 1Password and one of them is now gone (forever, per the devs words).

Wish I knew about that before upgrading to Mojave. And I definitely have to critique the 1Pass devs for not being willing to implement a workaround solution for what was one of their app's top 2 features(don't lecture me about security please, I am working in the field).

Lars

Welcome to the forum, @hthought! I'm sorry your workflow is affected by the removal of auto-submit in 1Password 7 for Mac. I think it's been explained multiple times in this thread why this decision was made, but to recap: Apple made substantial changes in Safari 12. Specifically, they disallowed the mechanism we'd been using for auto-submit, which was a small script that simulated the press of the enter key. Their reasoning, which we agree with upon reflection, is that although there are certainly benign uses like ours for such a thing, it's also how some of the world's worst malware installs itself and wreaks havoc: by "pressing the enter key." Apple's argument was that there should be a much higher bar (if it is allowed at all) for an automated script to be able to simulate so consequential a user action as pressing the Return/Enter key. We agree. I'm not sure why you find this "unsettling," and I've no plans to "lecture" you. I'll just say that we don't intend to attempt to defeat or find ways around the express intent of the developer of the hardware and OS on which 1Password for Mac runs.

Auto-submit was a great feature...when it worked, which was frequently. But there were a not-insignificant number of times when it didn't work because of the large variety of different ways in which Login pages can be coded (among other things). And when auto-submit didn't work, it could often leave the user in a state without (m)any clues as to where they were or what had gone wrong (or indeed that anything at all had gone wrong). To be clear, here's what 1Password did, in previous versions, when you double-clicked an item from the main 1Password for Mac window:

1. Launched your default browser if it was not running, or brought it to the fore if it was
2. Opened a new tab or page in the browser, depending on user settings
3. Filled in the primary URL of the clicked Login item
4. Launched that page
5. Filled in your saved credentials from the clicked Login item
6. Used the small autosubmit.scpt script to (if all went well) submit the form and sign you in

In 1Password 7 for Mac, ALL of those things still occur, except for #6, which requires a single press of the enter key or mouse click on the Login or Submit button (if you prefer). One mouse click/keypress is what we're talking about, here. In exchange, you get the ability to review the filling logic and make any necessary changes prior to submission (if, for example, the Login page has changed and 1Password is no longer filling correctly, or perhaps you have multiple accounts at a given site and chose the wrong one).

hthought

I like how you say you have no plans on lecturing me right after you finish your full paragraph lecture, that was fun to read :D

I don't use Safari, just Chrome, and as I mentioned I work in the field, I do understand the reasoning, that's why i was looking for a workaround. It's not that I don't agree with Apple, it's that a knife can be used on an apple or as a weapon.

I just disagree with your reasoning. Allow me to say that working around a non existing feature, like simulation of a key press does not imply that you are breaking the EULA of Mac os, unless that's clearly stated. I am sure that you, being a developer, understand that programming is much about finding solutions on problems and working around the existing infrastructure that an OS provides.

One could suggest that autosubmission or autocompletion of an html form using javascript should not be simulated in Javascript, based on the same idea of forging autosubmissions, with CSRF tokens being a custom required security protection.

On Chrome autosubmit worked for me almost always. I think there must have been like 1-2 websites at most out of the hundreds i've saved. Was very reliable in my experience. I think I only had trouble with a banking account only if I remember correctly, so that excuse won't cut it for me, sorry.

I have created Python autoclickers myself in the past, but haven't played with it on Mojave yet, but I see a whole lot of autoclicker apps claiming to be working on Mojave on google (granted, haven't tried them, but there's a bucket load of them on google).

Also, I realize that your way of doing #6 may not be working with simulating the key press, alright.

What about submitting via getting the Javascript DOM object ? Is there a reason why that won't work ?

Ben

@hthought

What about submitting via getting the Javascript DOM object ? Is there a reason why that won't work ?

We've done that, but it did not prove to provide a reliable enough experience to offer it in 1Password.

I just disagree with your reasoning.

That's fair, and you're welcome to your opinion.

so that excuse won't cut it for me, sorry.

I'm sorry to hear that. It seems you have a few different options to consider, then. It is possible there will be a shift in the landscape that causes it to be a more feasible option to include functionality like autosubmit in 1Password in the future, but I'm not aware of anything coming that would cause that to be the case.

Ben

hthought

What's not "reliable enough" with submitting via the DOM if i may ask ? If you are able to read the form to set up username/password fields, it should be pretty reliable to get a button which always has the type "submit". It should pretty much ALWAYS work. Feel free to get as technical as you want, no need to hold back.

Ben

Not all forms have a button with a 'submit' action.

Ben

hthought

You are saying that this is the problem :) ? Like, really ? Not all forms have a "username" field too, which is why 1password fails in some cases too, but that's understandable. I would think you have regular expressions for larger coverage. Also, I would bet money that more than 90-95% of forms have a button with a submit action or a button that is called Submit/Login/Sign in etc.. Should be trivial to cover 99% of cases, same way you do with username/password fields basically.

I don't get it at all, seems extremely trivial programmatically, but it's your call in the end sure.

Ben

Thanks for the feedback. :+1: :)

Ben

hthought

I thought so, you're welcome :D

AGAlumB

:)

Ben

Thanks for the feedback. :+1:

Ben

mackuba

So, I ran into this again, because I need to finally leave 1Password 6 behind since the extension doesn't work on Catalina anymore... I've sticked to v6 on some computers so far because I need to use both Safari and STP there, which sadly doesn't work well in 1Password 7...

Two comments from me:

• mentioning a change of the kind "we've removed a feature you loved, making the UX worse" as the very last point in the "Fixed" section was really not cool. this should have been mentioned in the header of the release notes
• I don't understand why I keep reading "Apple has removed support for this in Mojave / Safari 12", while I have a computer with Mojave and Safari 12 in front of me right now, and in 1Password 6 + old extension the autosubmit still works just fine. Some people mentioned here it also worked in 1Password 7.0.x. Is it that the new-style Safari App Extension isn't able to do this and the old one could, or about the hardened runtime that was also mentioned, or what? It's clearly not just Safari 12. (I've never seen the error message that was mentioned earlier.)

Lars

@mackuba

I don't understand why I keep reading "Apple has removed support for this in Mojave / Safari 12

Because they did. Safari 12 is the transitional version which still allows for use of and compatibility with older versions (of 1Password, which still use auto-submit). The upcoming Safari 13 will not work with 1Password 6 for Mac at all, and will not allow auto-submit using the method we had been employing (a script simulating the press of the Return/Enter key).

Some people mentioned here it also worked in 1Password 7.0.x

I have yet to see an example of auto-submit working in the following configuration: 1Password 7 for Mac running in Safari 12 in macOS 10.14 (“Mojave”). If you can find one that does NOT also include a deliberate hack of the OS via custom user script or app, let us know! :)

The bottom line here is: auto-submit has been removed for security reasons and I don't see it returning anytime soon. That said, the landscape changes continually, so we'll continue to evaluate it, and should this become feasible in the future while maintaining security, anything's possible. Hope that helps. :)