Show FormNotSecure warnings on sensitive inputs in non-secure contexts

components/autofill/content/renderer/password_autofill_agent.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/password_autofill_agent.h"
 
 #include <stddef.h>
 
 #include <memory>
 #include <string>
@@ skipping 10 matching lines @@
 #include "base/strings/utf_string_conversions.h"
 #include "base/threading/thread_task_runner_handle.h"
 #include "build/build_config.h"
 #include "components/autofill/content/renderer/form_autofill_util.h"
 #include "components/autofill/content/renderer/password_form_conversion_utils.h"
 #include "components/autofill/content/renderer/renderer_save_password_progress_logger.h"
 #include "components/autofill/core/common/autofill_constants.h"
 #include "components/autofill/core/common/autofill_util.h"
 #include "components/autofill/core/common/form_field_data.h"
 #include "components/autofill/core/common/password_form_fill_data.h"
+#include "components/security_state/core/security_state.h"
+#include "content/public/common/origin_util.h"
 #include "content/public/renderer/document_state.h"
 #include "content/public/renderer/navigation_state.h"
 #include "content/public/renderer/render_frame.h"
 #include "content/public/renderer/render_view.h"
 #include "services/service_manager/public/cpp/interface_provider.h"
 #include "services/service_manager/public/cpp/interface_registry.h"
 #include "third_party/WebKit/public/platform/WebInputEvent.h"
 #include "third_party/WebKit/public/platform/WebSecurityOrigin.h"
 #include "third_party/WebKit/public/platform/WebVector.h"
 #include "third_party/WebKit/public/web/WebAutofillClient.h"
@@ skipping 794 matching lines @@
   return true;
 }
 
 bool PasswordAutofillAgent::ShowSuggestions(
     const blink::WebInputElement& element,
     bool show_all,
     bool generation_popup_showing) {
   blink::WebInputElement username_element;
   blink::WebInputElement password_element;
   PasswordInfo* password_info;
+
   if (!FindPasswordInfoForElement(element, &username_element, &password_element,
-                                  &password_info))
+                                  &password_info)) {
+    // If we don't have a password stored, but the form is non-secure, warn
+    // the user about the non-secure form.
+    if ((element.isPasswordField() ||
+         HasAutocompleteAttributeValue(element, "username")) &&
+        security_state::IsHttpWarningInFormEnabled() &&
+        !content::IsOriginSecure(url::Origin(render_frame()
+                                                 ->GetRenderView()
+                                                 ->GetMainRenderFrame()
+                                                 ->GetWebFrame()
+                                                 ->getSecurityOrigin())
+                                     .GetURL())) {
+      autofill_agent_->ShowNotSecureWarning(element);
+      return true;
+    }
     return false;
+  }
 
   // If autocomplete='off' is set on the form elements, no suggestion dialog
   // should be shown. However, return |true| to indicate that this is a known
   // password form and that the request to show suggestions has been handled (as
   // a no-op).
   if (!element.isTextField() || !IsElementAutocompletable(element) ||
       !IsElementAutocompletable(password_element))
     return true;
 
   if (element.nameForAutofill().isEmpty() &&
@@ skipping 644 matching lines @@
 PasswordAutofillAgent::GetPasswordManagerDriver() {
   if (!password_manager_driver_) {
     render_frame()->GetRemoteInterfaces()->GetInterface(
         mojo::MakeRequest(&password_manager_driver_));
   }
 
   return password_manager_driver_;
 }
 
 }  // namespace autofill