Show Login Not Secure on username field even without Autocomplete attribute

components/autofill/content/renderer/password_autofill_agent.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/password_autofill_agent.h"
 
 #include <stddef.h>
 
 #include <memory>
 #include <string>
@@ skipping 819 matching lines @@
   if (iter == web_input_to_password_info_.end())
     return false;
 
   *password_info = &iter->second;
   if (password_element->isNull())
     *password_element = (*password_info)->password_field;
 
   return true;
 }
 
+bool PasswordAutofillAgent::ShouldShowNotSecureWarning(
+    const blink::WebInputElement& element) {
+  // Do not show a warning if the feature is disabled or the context is secure.
+  if (!security_state::IsHttpWarningInFormEnabled() ||
+      content::IsOriginSecure(
+          url::Origin(render_frame()->GetWebFrame()->top()->getSecurityOrigin())
+              .GetURL()))
+    return false;
+
+  // Show the warning on all Password inputs.
+  // Note: A site may use a Password field to collect a CVV or a Credit Card
+  // number, but showing a slightly misleading warning here is better than
+  // showing no warning at all.
+  if (element.isPasswordField())
+    return true;
+
+  // If a field declares itself a username input, show the warning.
+  if (HasAutocompleteAttributeValue(element, "username"))
+    return true;
+
+  // Otherwise, analyze the form and return true if this input element seems
+  // to be the username field.
+  std::unique_ptr<PasswordForm> password_form;
+  if (element.form().isNull()) {
+    blink::WebFrame* const element_frame = element.document().frame();
+    if (!element_frame)
+      return false;
+
+    password_form = CreatePasswordFormFromUnownedInputElements(
+        *element_frame, &field_value_and_properties_map_, &form_predictions_);
+  } else {
+    password_form = CreatePasswordFormFromWebForm(
+        element.form(), &field_value_and_properties_map_, &form_predictions_);
+  }
+
+  if (!password_form)
+    return false;
+  return (password_form->username_element == element.nameForAutofill().utf16());
+}
+
 bool PasswordAutofillAgent::ShowSuggestions(
     const blink::WebInputElement& element,
     bool show_all,
     bool generation_popup_showing) {
   blink::WebInputElement username_element;
   blink::WebInputElement password_element;
   PasswordInfo* password_info;
 
   if (!FindPasswordInfoForElement(element, &username_element, &password_element,
                                   &password_info)) {
-    // If we don't have a password stored, but the form is non-secure, warn
-    // the user about the non-secure form.
-    if ((element.isPasswordField() ||
-         HasAutocompleteAttributeValue(element, "username")) &&
-        security_state::IsHttpWarningInFormEnabled() &&
-        !content::IsOriginSecure(
-            url::Origin(
-                render_frame()->GetWebFrame()->top()->getSecurityOrigin())
-                .GetURL())) {
+    if (ShouldShowNotSecureWarning(element)) {
       autofill_agent_->ShowNotSecureWarning(element);
       return true;
     }
     return false;
   }
 
   // If autocomplete='off' is set on the form elements, no suggestion dialog
   // should be shown. However, return |true| to indicate that this is a known
   // password form and that the request to show suggestions has been handled (as
   // a no-op).
@@ skipping 647 matching lines @@
 PasswordAutofillAgent::GetPasswordManagerDriver() {
   if (!password_manager_driver_) {
     render_frame()->GetRemoteInterfaces()->GetInterface(
         mojo::MakeRequest(&password_manager_driver_));
   }
 
   return password_manager_driver_;
 }
 
 }  // namespace autofill