A security researcher discovered that 1Password's browser extension bypasses the browser's Permissions Policy for WebAuthn. When a site sends `Permissions-Policy: publickey-credentials-create=()` to disable passkey creation, the browser correctly blocks the native API, but 1Password's wrapper — which replaces `navigator.credentials.create` in the page's main world — never checks this policy and still brokers a full passkey ceremony. The post details the wrapper's architecture, why a main-world fix is insufficient (attackers can spoof `document.featurePolicy`), and proposes moving the policy check into the extension's isolated content script world where page JS cannot tamper with it. A subsequent 1Password update hardened the wrapper against direct property replacement using non-configurable accessors, but the Permissions Policy bypass remains unaddressed. The post also demonstrates how the new hardening can be circumvented via a Proxy on `navigator.credentials` itself, and closes with a broader argument for CSP and Permissions Policy as defence-in-depth against XSS.
Table of contents
Enter the password managerFixing the Permissions Policy BypassAn Extension Update Shortly After My ReportUpdating the PoC to Work AgainPermissions Policy and Content Security PolicyDisclosure and ClosingSort: