HTTP Bad: Split out UMA metrics for password vs credit card "Not secure" warnings

chrome/browser/ssl/chrome_security_state_model_client.cc

Index: chrome/browser/ssl/chrome_security_state_model_client.cc
diff --git a/chrome/browser/ssl/chrome_security_state_model_client.cc b/chrome/browser/ssl/chrome_security_state_model_client.cc
index 91f94b325332b079b5805f7ff5e3650b51ffeed4..f43d47c7c9579f5ca8eeb88fd0deb8e941afb0fc 100644
--- a/chrome/browser/ssl/chrome_security_state_model_client.cc
+++ b/chrome/browser/ssl/chrome_security_state_model_client.cc
@@ -195,7 +195,8 @@ blink::WebSecurityStyle ChromeSecurityStateModelClient::GetSecurityStyle(
             l10n_util::GetStringUTF8(IDS_PRIVATE_USER_DATA_INPUT_DESCRIPTION)));
   } else if (security_info.security_level ==
                  security_state::SecurityStateModel::NONE &&
-             security_info.displayed_private_user_data_input_on_http) {
+             (security_info.displayed_password_field_on_http ||
+              security_info.displayed_credit_card_field_on_http)) {
     // If the HTTP_SHOW_WARNING field trial isn't in use yet, display an
     // informational note that the omnibox will contain a warning for
     // this site in a future version of Chrome.
@@ -333,7 +334,8 @@ void ChromeSecurityStateModelClient::VisibleSecurityStateChanged() {
 
   security_state::SecurityStateModel::SecurityInfo security_info;
   GetSecurityInfo(&security_info);
-  if (!security_info.displayed_private_user_data_input_on_http)
+  if (!security_info.displayed_password_field_on_http &&
+      !security_info.displayed_credit_card_field_on_http)

[estark, 2016/11/09 15:56:46]

nit: now that the conditional spans two lines, can you please add curly braces
around the body?

[lshang, 2016/11/10 04:53:54]

Done.

     return;
 
   std::string warning;
@@ -360,8 +362,15 @@ void ChromeSecurityStateModelClient::VisibleSecurityStateChanged() {
   logged_http_warning_on_current_navigation_ = true;
   web_contents_->GetMainFrame()->AddMessageToConsole(
       content::CONSOLE_MESSAGE_LEVEL_WARNING, warning);
-  UMA_HISTOGRAM_BOOLEAN("Security.HTTPBad.UserWarnedAboutSensitiveInput",
-                        warning_is_user_visible);
+
+  UMA_HISTOGRAM_BOOLEAN(
+      "Security.HTTPBad.UserWarnedAboutSensitiveInput.CreditCard",
+      security_info.displayed_credit_card_field_on_http &&

[estark, 2016/11/09 15:56:46]

Hmm. I think we ought to only record the histograms conditionally, like this:

if (security_info.displayed_credit_card_field_on_http) {
  UMA_HISTOGRAM_BOOLEAN("...CreditCard", warning_is_user_visible);
}
if (security_info.displayed_password_field_on_http) {
  UMA_HISTOGRAM_BOOLEAN("...Password", warning_is_user_visible);
}

That way a histogram value of false means "there was a password/credit card
field and we only logged a console message." As it is right now, with recording
the histogram unconditionally, a value of false could mean multiple things: it
could mean there was a password/cc field and we only logged a console message,
or it could mean there was no password/cc field.

[lshang, 2016/11/10 04:53:54]

Done.

+          warning_is_user_visible);
+  UMA_HISTOGRAM_BOOLEAN(
+      "Security.HTTPBad.UserWarnedAboutSensitiveInput.Password",
+      security_info.displayed_password_field_on_http &&
+          warning_is_user_visible);
 }
 
 void ChromeSecurityStateModelClient::DidFinishNavigation(