Version 1.4.0 and Safari App Extensions
When developing Secrets we purposely avoided using browser extensions to do login filling on websites. The reasons are manyfold:
- our users should not have have to type their passphrase anywhere except on the Secrets application (specially not in the browser);
- only the Secrets application should handle your data and should always serve as gateway for it;
- establishing communication between the browser extension and Secrets also presented some security concerns;
- users would have to manually install the extension.
As such we used a much simpler and safer approach. We used Apple Events to communicate with both Safari and Chrome directly from Secrets, bypassing the need for a browser extension and all the issues that come with it.
So, what changed?
Just a few weeks after we launched Apple released macOS 10.11.5 and with it they disabled our integration by default. Our users had to manually enable a setting in Safari to bring back the functionality... Also, our Apple Events-based solution prevented us from filling logins on websites contained inside iframes, such as www.icloud.com.
To solve 1. and 2. we developed a very simple extension that tries to mimic our old behavior. Succinctly, the extension just announces to Secrets if there are login forms available to fill and checks if it should fill any of them. All the heavy lifting is still done on the main application just like before. This also meant that the logging in flow would stay the same for all existing users.
Finally, the extension enabled us to access the dreaded iframes we couldn't access before. So filling in www.icloud.com works now!
So go ahead and update and let us know if you run into any issues.
Happy login filling!