Credential request ignored from another domain
Closed this issue ยท 19 comments
Expected Behavior
The password should be automatically filled in on this webpage: https://account.aliyun.com/login/login.htm
Current Behavior
After I updated KeePassXC-Browser to version 1.8.11, it no longer automatically fills in on this website, whereas it worked before the update
Possible Solution
The domain name of this website is https://account.aliyun.com/, but the login domain is https://passport.aliyun.com/. Previously, I added passport.aliyun.com to the additional URLs in KeePassXC, and it was functioning
After the update, the same website reports the following error in the debugging information: 'KeePassXC-Browser - Error: Credential request ignored from another domain: passport.aliyun.com
Is there a way to fix this issue or manually set the trusted domains for the current domain to not be ignored?
Steps to Reproduce (for bugs)
- Add https://passport.aliyun.com/ to the additional URLs in KeePassXC
- Access https://account.aliyun.com/login/login.htm
- It can be noticed that the KeePassXC icon is grayed out and the password is not found
- With the debug log opened, it can be observed in the console that there is an error reported as 'KeePassXC-Browser - Error: Credential request ignored from another domain: passport.aliyun.com.
Debug info
KeePassXC - 2.7.6
KeePassXC-Browser - 1.8.11
Operating system: Mac
Browser: Chrome
There was an issue where the extension allowed iframe to function even if it was entirely from another domain. That should not be accepted. This error is a cause of that fix. Currently there's no easy way to check if the domain actually matches, but maybe there's something that could be done for this. I'll investigate the problem.
Yes, complete allowance is insecure
I don't know if there is a method to set up a whitelist-like feature to specify which nested domains the current domain allows for access๏ผJust like CORS
This allows users to manually set the domains accessible under a certain domain on a page, ensuring they are not ignored. This ensures both security and usability
The easiest solution would be to allow iframes from the same top-level-domain. The extension does have a crude method to figure that out, but it's not based on any proper list (like the solution in KeePassXC).
We could add this security exemption as an option in the "custom sites" definition setting. The one where you can define username only detection for example.
We could add this security exemption as an option in the "custom sites" definition setting. The one where you can define username only detection for example.
This might be the easiest solution. Another one would be to check the TLD from the extension side. There's no API for that so the whole Public Suffic list should be included inside the extension. That's not gonna work.
Yah just make it manual and maybe add the button to the extension pop up like the username only detection
Here are some additional sites that have the same issue with KeePassXC-Browser 1.8.11.
- Charles Schwab:
https://www.schwab.com/
https://client.schwab.com/
Embedded login iframe domain
https://sws-gateway-nr.schwab.com/
- Quicken Simplifi
https://app.simplifimoney.com/
Embedded login iframe domain
https://signin.quicken.com/
From a user perspective, the above mentioned solution of having a "Allow 3rd-party iframes" in settings and in the pop-up similar to "username only detection" would be excellent.
Ran into the same issue today on https://finanzblickx.buhl.de/login.
That option will be implemented for the next version.
I found a way to implement a check using TLD's, so iframes from the same base domain should work directly. I still want to add that option to the feature also because for example https://app.simplifimoney.com/ is using a login iframe entirely from another domain. Users should be possible to allow that manually.
Glad to hear that the same base domain has a path to a fix. I was perplexed as this seems to break maybe 1/3 of my logins (seems like many banks, brokerages, etc run afoul of this). Basically last week was happiness, this week was unhappiness.
One other idea for the different domain is to be able to honor the iframe if it's on additional url list (though the error msg is frequently only partially visible, so some work is needed to discover the domain to list).
Here are some additional sites that have the same issue with KeePassXC-Browser 1.8.11.
- Charles Schwab:
https://www.schwab.com/
https://client.schwab.com/Embedded login iframe domain https://sws-gateway-nr.schwab.com/
- Quicken Simplifi
https://app.simplifimoney.com/Embedded login iframe domain https://signin.quicken.com/
From a user perspective, the above mentioned solution of having a "Allow 3rd-party iframes" in settings and in the pop-up similar to "username only detection" would be excellent.
Others I have found with same issue:
-
Chase Bank
https://www.chase.com
https://secure.chase.com -
Disney Vacation Club (same issue with all other Disney sites)
https://disneyvacationclub.disney.go.com/
https://cdn.registerdisney.go.com/ (this is what the error shows)
https://registerdisney.go.com/ (this is what the submit button form uses)
@nikduvall Thanks. I'll check those one too.
Feel free to test it: #2079
Feel free to test it: #2079
The 3 sites I discovered this issue on are now working!
Where can I download the new version to solve the problem?
Where can I download the new version to solve the problem?
You will have to wait for the next release, or use the PR branch and load the extension manually.
For what it's worth, another one I found:
www.gog.com
error shows login.gog.com
Address in KeepassXC entry URL is gog.com
For what it's worth, another one I found: www.gog.com error shows login.gog.com Address in KeepassXC entry URL is gog.com
Works with PR2079.