Trigger Password Protection ping on username/password field on focus

components/autofill/content/renderer/password_autofill_agent.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/password_autofill_agent.h"
 
 #include <stddef.h>
 
 #include <memory>
 #include <string>
@@ skipping 609 matching lines @@
 
 ////////////////////////////////////////////////////////////////////////////////
 // PasswordAutofillAgent, public:
 
 PasswordAutofillAgent::PasswordAutofillAgent(content::RenderFrame* render_frame)
     : content::RenderFrameObserver(render_frame),
       logging_state_active_(false),
       was_username_autofilled_(false),
       was_password_autofilled_(false),
       sent_request_to_store_(false),
+      checked_safe_browsing_reputation_(false),
       binding_(this) {
   // PasswordAutofillAgent is guaranteed to outlive |render_frame|.
   render_frame->GetInterfaceRegistry()->AddInterface(
       base::Bind(&PasswordAutofillAgent::BindRequest, base::Unretained(this)));
 }
 
 PasswordAutofillAgent::~PasswordAutofillAgent() {
 }
 
 void PasswordAutofillAgent::BindRequest(
@@ skipping 252 matching lines @@
   *password_info = &iter->second;
   if (password_element->IsNull())
     *password_element = (*password_info)->password_field;
 
   return true;
 }
 
 bool PasswordAutofillAgent::ShouldShowNotSecureWarning(
     const blink::WebInputElement& element) {
   // Do not show a warning if the feature is disabled or the context is secure.
-  if (!security_state::IsHttpWarningInFormEnabled() ||
-      content::IsOriginSecure(
-          url::Origin(render_frame()->GetWebFrame()->Top()->GetSecurityOrigin())
-              .GetURL()))
-    return false;
+  return security_state::IsHttpWarningInFormEnabled() &&
+         !content::IsOriginSecure(
+             url::Origin(
+                 render_frame()->GetWebFrame()->Top()->GetSecurityOrigin())
+                 .GetURL());
+}
 
-  // Show the warning on all Password inputs.
+bool PasswordAutofillAgent::IsUsernameOrPasswordField(
+    const blink::WebInputElement& element) {
   // Note: A site may use a Password field to collect a CVV or a Credit Card
   // number, but showing a slightly misleading warning here is better than
   // showing no warning at all.
   if (element.IsPasswordField())
     return true;
 
   // If a field declares itself a username input, show the warning.
   if (HasAutocompleteAttributeValue(element, "username"))
     return true;
 
   // Otherwise, analyze the form and return true if this input element seems
   // to be the username field.
   std::unique_ptr<PasswordForm> password_form;
   if (element.Form().IsNull()) {
     blink::WebFrame* const element_frame = element.GetDocument().GetFrame();
     if (!element_frame)
       return false;
 
     password_form = CreatePasswordFormFromUnownedInputElements(
         *element_frame, &field_value_and_properties_map_, &form_predictions_);
   } else {
     password_form = CreatePasswordFormFromWebForm(
         element.Form(), &field_value_and_properties_map_, &form_predictions_);
   }
 
   if (!password_form)
     return false;
   return (password_form->username_element == element.NameForAutofill().Utf16());

[dvadym, 2017/04/27 10:46:30]

Just keep in mind, that heuristics for detecting username element are not
reliable. But since true is returned when |element| is password, it covers all
passwords fields, so it looks ok.

[Jialiu Lin, 2017/04/28 00:09:08]

Yes, I'm aware of that. 

 }
 
 bool PasswordAutofillAgent::ShowSuggestions(
     const blink::WebInputElement& element,
     bool show_all,
     bool generation_popup_showing) {
   blink::WebInputElement username_element;
   blink::WebInputElement password_element;
   PasswordInfo* password_info;
 
   if (!FindPasswordInfoForElement(element, &username_element, &password_element,
                                   &password_info)) {
-    if (ShouldShowNotSecureWarning(element)) {
-      autofill_agent_->ShowNotSecureWarning(element);
-      return true;
+    if (IsUsernameOrPasswordField(element)) {
+#if defined(SAFE_BROWSING_DB_LOCAL)
+      if (!checked_safe_browsing_reputation_) {
+        checked_safe_browsing_reputation_ = true;
+        GetPasswordManagerDriver()->CheckSafeBrowsingReputation(
+            element.Form().IsNull()

[dvadym, 2017/04/27 10:46:30]

Are you sure that you need form_action not frame url? Nowadays submissions are
often done with JavaScript and action means nothing. Or you need both.

[Jialiu Lin, 2017/04/28 00:09:08]

Good to know.  I'll add more fields to the CheckSafeBrowsingReputation call.

+                ? GURL()

[dvadym, 2017/04/27 10:46:30]

Probably in case when a form is absent, current url is better option. It's
completely valid when there is no <form> tag

[Jialiu Lin, 2017/04/28 00:09:08]

Changed to pass both the action url and current frame url to the
CheckSafeBrowsingReputation call.  

+                : form_util::GetCanonicalActionForForm(element.Form()));
+      }
+#endif
+      if (ShouldShowNotSecureWarning(element)) {
+        autofill_agent_->ShowNotSecureWarning(element);
+        return true;
+      }
     }
     return false;
   }
 
   // If autocomplete='off' is set on the form elements, no suggestion dialog
   // should be shown. However, return |true| to indicate that this is a known
   // password form and that the request to show suggestions has been handled (as
   // a no-op).
   if (!element.IsTextField() || !IsElementAutocompletable(element) ||
       !IsElementAutocompletable(password_element))
@@ skipping 222 matching lines @@
 
 void PasswordAutofillAgent::WillCommitProvisionalLoad() {
   FrameClosing();
 }
 
 void PasswordAutofillAgent::DidCommitProvisionalLoad(
     bool is_new_navigation,
     bool is_same_document_navigation) {
   if (is_same_document_navigation) {
     OnSameDocumentNavigationCompleted();
+  } else {
+    checked_safe_browsing_reputation_ = false;
   }
 }
 
 void PasswordAutofillAgent::FrameDetached() {
   // If a sub frame has been destroyed while the user was entering information
   // into a password form, try to save the data. See https://crbug.com/450806
   // for examples of sites that perform login using this technique.
   if (render_frame()->GetWebFrame()->Parent() &&
       provisionally_saved_form_.IsPasswordValid()) {
     GetPasswordManagerDriver()->InPageNavigation(
@@ skipping 386 matching lines @@
 }
 
 void PasswordAutofillAgent::FrameClosing() {
   for (auto const& iter : web_input_to_password_info_) {
     password_to_username_.erase(iter.second.password_field);
   }
   web_input_to_password_info_.clear();
   provisionally_saved_form_.Reset();
   field_value_and_properties_map_.clear();
   sent_request_to_store_ = false;
+  checked_safe_browsing_reputation_ = false;
 }
 
 void PasswordAutofillAgent::ClearPreview(
     blink::WebInputElement* username,
     blink::WebInputElement* password) {
   if (!username->IsNull() && !username->SuggestedValue().IsEmpty()) {
     username->SetSuggestedValue(blink::WebString());
     username->SetAutofilled(was_username_autofilled_);
     username->SetSelectionRange(username_query_prefix_.length(),
                                 username->Value().length());
@@ skipping 27 matching lines @@
 PasswordAutofillAgent::GetPasswordManagerDriver() {
   if (!password_manager_driver_) {
     render_frame()->GetRemoteInterfaces()->GetInterface(
         mojo::MakeRequest(&password_manager_driver_));
   }
 
   return password_manager_driver_;
 }
 
 }  // namespace autofill