[Password manager] Recognise squashed login+sign-up forms

components/autofill/content/renderer/password_form_conversion_utils.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/password_form_conversion_utils.h"
 
 #include "base/strings/string_util.h"
 #include "components/autofill/content/renderer/form_autofill_util.h"
 #include "components/autofill/core/common/password_form.h"
 #include "third_party/WebKit/public/platform/WebString.h"
 #include "third_party/WebKit/public/web/WebDocument.h"
 #include "third_party/WebKit/public/web/WebFormControlElement.h"
 #include "third_party/WebKit/public/web/WebInputElement.h"
+#include "third_party/re2/re2/re2.h"
 
 using blink::WebDocument;
 using blink::WebFormControlElement;
 using blink::WebFormElement;
 using blink::WebInputElement;
 using blink::WebString;
 using blink::WebVector;
 
 namespace autofill {
 namespace {
 
+// Given the sequence of non-password and password text input fields of a form,
+// represented as a string of Ns (non-password) and Ps (password), computes the
+// layout type of that form.
+PasswordForm::Layout SequenceToLayout(re2::StringPiece layout_sequence) {
+  if (RE2::FullMatch(layout_sequence, "NPN+PP"))

[Garrett Casto, 2015/03/17 22:49:37]

As written this is over constrained and doesn't catch either godaddy.com or
nordstrom.com (godaddy has only one password field for the signup portion and
nordstrom has a text field after the last password field).

We want this to be as simple as possible and still allow sites like godaddy to
work but not negatively impact more traditional forms. The best regexp that I
can think of that makes both broken sites work is "NPN+P.*". I can't think of
examples right now that this would match that aren't combined forms. I could
imagine a signup form that could match this ("username, password, random
information, security question, security answer (password field)"), but I would
think such a construct would be rare. Even if it were to accidentally get
labeled as LAYOUT_LOGIN_AND_SIGNUP, filling saved credentials on a signup form,
while bad, isn't a disaster.

Does that regexp change seem reasonable to you?

[vabr (Chromium), 2015/03/18 16:51:03]

Ah, I forgot to get back from my distilled toy examples to the real world.
Thanks for pointing this out!
It does, I agree with your view of the severity of the potential breakage, and
cannot think of a page I know is already broken by that.

+    return PasswordForm::Layout::LAYOUT_LOGIN_AND_SIGNUP;
+  return PasswordForm::Layout::LAYOUT_OTHER;
+}
+
 // Checks in a case-insensitive way if the autocomplete attribute for the given
 // |element| is present and has the specified |value_in_lowercase|.
 bool HasAutocompleteAttributeValue(const WebInputElement& element,
                                    const char* value_in_lowercase) {
   return LowerCaseEqualsASCII(element.getAttribute("autocomplete"),
                               value_in_lowercase);
 }
 
 // Helper to determine which password is the main (current) one, and which is
 // the new password (e.g., on a sign-up or change password form), if any.
@@ skipping 83 matching lines @@
         nonscript_modified_values) {
   WebInputElement latest_input_element;
   WebInputElement username_element;
   password_form->username_marked_by_site = false;
   std::vector<WebInputElement> passwords;
   std::vector<base::string16> other_possible_usernames;
 
   WebVector<WebFormControlElement> control_elements;
   form.getFormControlElements(control_elements);
 
+  std::string layout_sequence;
+  layout_sequence.reserve(control_elements.size());
   for (size_t i = 0; i < control_elements.size(); ++i) {
     WebFormControlElement control_element = control_elements[i];
     if (control_element.isActivatedSubmit())
       password_form->submit_element = control_element.formControlName();
 
     WebInputElement* input_element = toWebInputElement(&control_element);
     if (!input_element || !input_element->isEnabled())
       continue;
 
+    if (input_element->isTextField()) {
+      if (input_element->isPasswordField())
+        layout_sequence.push_back('P');
+      else
+        layout_sequence.push_back('N');
+    }
+
     if (input_element->isPasswordField()) {
       passwords.push_back(*input_element);
       // If we have not yet considered any element to be the username so far,
       // provisionally select the input element just before the first password
       // element to be the username. This choice will be overruled if we later
       // find an element with autocomplete='username'.
       if (username_element.isNull() && !latest_input_element.isNull()) {
         username_element = latest_input_element;
         // Remove the selected username from other_possible_usernames.
         if (!latest_input_element.value().isEmpty()) {
@@ skipping 40 matching lines @@
           // out to be a password. Save a non-empty username as a possible
           // alternative, at least for now.
           if (username_element.isNull())
             latest_input_element = *input_element;
           if (!input_element->value().isEmpty())
             other_possible_usernames.push_back(input_element->value());
         }
       }
     }
   }
+  password_form->layout = SequenceToLayout(layout_sequence);
 
   if (!username_element.isNull()) {
     password_form->username_element = username_element.nameForAutofill();
     base::string16 username_value = username_element.value();
     if (nonscript_modified_values != nullptr) {
       auto username_iterator =
         nonscript_modified_values->find(username_element);
       if (username_iterator != nonscript_modified_values->end()) {
         base::string16 typed_username_value = username_iterator->second;
         if (!StartsWith(username_value, typed_username_value, false)) {
@@ skipping 80 matching lines @@
                            blink::WebFormControlElement(),
                            REQUIRE_NONE,
                            EXTRACT_NONE,
                            &password_form->form_data,
                            NULL /* FormFieldData */);
 
   return password_form.Pass();
 }
 
 }  // namespace autofill