Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What caused me to not consider Bitwarden was the way it handled iframes. It could send the parent sites credentials to an iframe even if the iframe was on a different domain. This is a big no-no in my book.

This was a discovery in a security review they did and choose not to change.

This was some time ago so things may have changed. But, that red flag kept me away.



Most likely because credit card forms are very often served in iframes. 1Password fills iframes too (though maybe only for cards, not sure).


1Password fills iframes based on their domain rather than the parents. If you have an entry in 1Password it will use the value for the domain of the iframe.

I’ve gone so far as to test this.

In my opinion this is the right security model


That definitely makes sense for logins.




Consider applying for YC's Winter 2026 batch! Applications are open till Nov 10

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: