Show Login Not Secure on username field even without Autocomplete attribute

components/autofill/content/renderer/password_autofill_agent.cc

Index: components/autofill/content/renderer/password_autofill_agent.cc
diff --git a/components/autofill/content/renderer/password_autofill_agent.cc b/components/autofill/content/renderer/password_autofill_agent.cc
index 69a16f4d6ebf9c48a53057358509d638ba1d2b2d..2f01ac0c6285c7fadfe75e2d4777ed274cb5d274 100644
--- a/components/autofill/content/renderer/password_autofill_agent.cc
+++ b/components/autofill/content/renderer/password_autofill_agent.cc
@@ -838,6 +838,46 @@ bool PasswordAutofillAgent::FindPasswordInfoForElement(
   return true;
 }
 
+bool PasswordAutofillAgent::ShouldShowNotSecureWarning(
+    const blink::WebInputElement& element) {
+  // Do not show a warning if the feature is disabled or the context is secure.
+  if (!security_state::IsHttpWarningInFormEnabled() ||
+      content::IsOriginSecure(
+          url::Origin(render_frame()->GetWebFrame()->top()->getSecurityOrigin())
+              .GetURL()))
+    return false;
+
+  // Show the warning on all Password inputs.
+  // Note: A site may use a Password field to collect a CVV or a Credit Card
+  // number, but showing a slightly misleading warning here is better than
+  // showing no warning at all.
+  if (element.isPasswordField())
+    return true;
+
+  // If a field declares itself a username input, show the warning.
+  if (HasAutocompleteAttributeValue(element, "username"))
+    return true;
+
+  // Otherwise, analyze the form and return true if this input element seems
+  // to be the username field.
+  std::unique_ptr<PasswordForm> password_form;
+  if (element.form().isNull()) {
+    blink::WebFrame* const element_frame = element.document().frame();
+    if (!element_frame)
+      return false;
+
+    password_form = CreatePasswordFormFromUnownedInputElements(
+        *element_frame, &field_value_and_properties_map_, &form_predictions_);
+  } else {
+    password_form = CreatePasswordFormFromWebForm(
+        element.form(), &field_value_and_properties_map_, &form_predictions_);
+  }
+
+  if (!password_form)
+    return false;
+  return (password_form->username_element == element.nameForAutofill().utf16());
+}
+
 bool PasswordAutofillAgent::ShowSuggestions(
     const blink::WebInputElement& element,
     bool show_all,
@@ -848,15 +888,7 @@ bool PasswordAutofillAgent::ShowSuggestions(
 
   if (!FindPasswordInfoForElement(element, &username_element, &password_element,
                                   &password_info)) {
-    // If we don't have a password stored, but the form is non-secure, warn
-    // the user about the non-secure form.
-    if ((element.isPasswordField() ||
-         HasAutocompleteAttributeValue(element, "username")) &&
-        security_state::IsHttpWarningInFormEnabled() &&
-        !content::IsOriginSecure(
-            url::Origin(
-                render_frame()->GetWebFrame()->top()->getSecurityOrigin())
-                .GetURL())) {
+    if (ShouldShowNotSecureWarning(element)) {
       autofill_agent_->ShowNotSecureWarning(element);
       return true;
     }