Click-to-login-bookmarklet

Comments (10)

1. 

   kreisel reporter

   • changed title to Click-to-login-bookmarklet
   • edited description

   • 2014-03-14T19:13:03+00:00
2. 

   Nils Steinger

   I would propose using an anchor (#) to determine the URL of the KDBX file to be pre-loaded:
   http://example.com/browsepass.html#http://example.com/files/passwords.kdbx

   That way, the server can't tell which file has been requested, thus improving privacy when browsepass is hosted by a third party.

   • 2014-03-14T20:49:50+00:00
3. 

   Nils Steinger

   Implemented in pull request #2.

   • 2014-03-14T21:30:43+00:00
4. 

   kreisel reporter

   that's also cool, but I mean something else. if you are on a site which is in your database on zoho vault, it is possible to click on the bookmarklet, and it let you login.

   • 2014-03-15T00:52:22+00:00
5. 

   Nils Steinger

   That would require you to either enter your password every time or store it in a cookie...

   (And it's way more complicated than the bookmark thing I've implemented. ;) )

   • 2014-03-15T00:56:12+00:00
6. 

   kreisel reporter

   that's how the "URL" looks like:

   javascript:(function(){var k='313b3cf3cc040de8d2a408f8036549f8e475331b1572e9ab04ecb9d4cc4f5355'; var v='0.22809886925501144';_ZV={ url:'https://vault.zoho.com/autofill.do',K:k,l:encodeURIComponent(location.href),s:document.createElement('script'),h:document.getElementsByTagName('head')[0] || document.documentElement};var s= _ZV.s;s.src=_ZV.url+'?url='+_ZV.l+'&v='+v+'&u=16108000000008003';_ZV.h.appendChild(s); })()
   

   it's possible to regenerate ;) don't know if the password is stored in a cookie, but you are right, that it should be very complicated to implement :D

   Thank you btw :)

   • 2014-03-15T01:38:33+00:00
7. 

   Nam Nguyen repo owner

   @kreisel are you referring to a bookmarklet that can automatically log you in to a saved site. If that is true, I think the bookmarklet is idea is intriguing though a bit insecure in my opinion.

   It can be done better perhaps as a Chrome/Firefox extension rather than a regular webpage like BrowsePass was born to be. I'll think about it more.

   • 2014-03-15T04:57:40+00:00
8. 

   kreisel reporter

   yes, not automatically, but it's slick anyways! :)

   it's possible to click inside of zoho vault on a link, than you get to the site and now you can click on the bookmarklet to login, sometimes it works without the way trough zoho vault. here is a screenshot of what they are writing:

   but I think you have to see it for yourself.

   • 2014-03-15T14:14:26+00:00
9. 

   Nam Nguyen repo owner

   So I've been investigating this feature for a bit. I think it might be doable.

   The high-level idea is:

   1. BrowsePass generates a bookmarklet for a particular entry in its vault.
   2. User bookmarks this bookmarklet.
   3. User opens the target URL.
   4. User activates the bookmarklet.
   5. The bookmarklet communicates back to BrowsePass via window.postMessage to ask for username and password.
   6. BrowsePass authenticates the request and responds with required info.
   7. The bookmarklet receives the info, fills the password in the first type="password" field, and the username to the previous type="text" sibling.

   The communication messages need fleshed out to ensure security first though. I'll get to it when I can, unless someone else beats me.

   • 2014-03-20T03:03:38+00:00
10. 

    Nam Nguyen repo owner

    Nope. window.postMessage does not work across tabs/browsing windows. There is a need to derive a communication method between two tabs/browsing windows on two different origins. I'll think about it more.

    • 2014-03-20T05:37:03+00:00
11. Log in to comment