iOS: Mark HTTP pages with password fields with an omnibox icon.

ios/web/web_state/ui/crw_web_controller.mm

 // Copyright 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #import "ios/web/web_state/ui/crw_web_controller.h"
 
 #import <WebKit/WebKit.h>
 
 #import <objc/runtime.h>
 #include <stddef.h>
@@ skipping 4572 matching lines @@
 }
 
 - (void)didUpdateSSLStatusForCurrentNavigationItem {
   if ([_delegate respondsToSelector:
           @selector(
               webControllerDidUpdateSSLStatusForCurrentNavigationItem:)]) {
     [_delegate webControllerDidUpdateSSLStatusForCurrentNavigationItem:self];
   }
 }
 
+- (void)didShowSensitiveInputOnHttp {
+  // TODO: Get the current item, not the visible item.

[lgarron, 2016/11/29 03:48:49]

The implementation of webControllerDidUpdateSSLStatusForCurrentNavigationItem:
actually uses GetTransientItem().

Also, there is no "current item" method, on the controller, only:

- GetVisibleItem()
- GetLastCommittedItem()
- GetPendingItem()
- GetTransientItem()

Which should I use?
GetTransientItem() is consistent with
didUpdateSSLStatusForCurrentNavigationItem, but sounds the
second-least-accurate.

[Eugene But (OOO till 7-30), 2016/11/30 17:58:41]

Tab uses transient item to exit from fullscreen if interstitial is shown. Which
API do you use for other platforms? Is there anything suitable in
CRWSessionController?

[lgarron, 2016/12/02 01:21:52]

Desktop uses LastCommittedEntry() [1].
Ive updated this callsite, and also used the last committed URL in the password
manager.

However, this function still calls
webControllerDidUpdateSSLStatusForCurrentNavigationItem, which uses the
transient entry. Is that safe, or should I mage a version of
webControllerDidUpdateSSLStatusForCurrentNavigationItem that uses the last
committed entry?

[1]
https://cs.chromium.org/chromium/src/content/browser/ssl/ssl_manager.cc?dr=CS...

[Eugene But (OOO till 7-30), 2016/12/02 01:53:11]

There is no ned to change Tab. It uses pending entry to check for interstitial
presence, which is orthogonal to password field warning.

+  web::NavigationItem* item =
+      self.webState->GetNavigationManager()->GetVisibleItem();
+  item->GetSSL().security_style = web::SECURITY_STYLE_AUTHENTICATED;

[estark, 2016/11/29 21:28:48]

I don't think you should be setting the security_style or
DISPLAYED_INSECURE_CONTENT here, unless I'm missing something.

[lgarron, 2016/12/02 01:21:52]

Removed.

+  item->GetSSL().content_status |= web::SSLStatus::DISPLAYED_INSECURE_CONTENT;
+  item->GetSSL().content_status |=
+      web::SSLStatus::DISPLAYED_PASSWORD_FIELD_ON_HTTP;

[estark, 2016/11/29 21:28:48]

Are you planning to later expand this method to handle credit cards too? Or do
that as a separate method? If the latter, maybe this should be named
didShowPasswrodInputOnHttp.

[lgarron, 2016/12/02 01:21:52]

Possibly. I've renamed to didShowPasswordInputOnHTTP.

+  [self didUpdateSSLStatusForCurrentNavigationItem];
+}
+
 - (void)handleSSLCertError:(NSError*)error {
   CHECK(web::IsWKWebViewSSLCertError(error));
 
   net::SSLInfo info;
   web::GetSSLInfoFromWKWebViewSSLCertError(error, &info);
 
   if (!info.cert) {
     // |info.cert| can be null if certChain in NSError is empty or can not be
     // parsed, in this case do not ask delegate if error should be allowed, it
     // should not be.
@@ skipping 1165 matching lines @@
   }
 
   return web::WEB_VIEW_DOCUMENT_TYPE_GENERIC;
 }
 
 - (NSString*)refererFromNavigationAction:(WKNavigationAction*)action {
   return [action.request valueForHTTPHeaderField:@"Referer"];
 }
 
 @end