Trigger Password Protection ping on username/password field on focus

components/autofill/content/renderer/password_autofill_agent.cc

Index: components/autofill/content/renderer/password_autofill_agent.cc
diff --git a/components/autofill/content/renderer/password_autofill_agent.cc b/components/autofill/content/renderer/password_autofill_agent.cc
index 212eef1913636fe4d376f0826c5d5bf3a8df9195..af2ca2828c7e33514870276fda702ecacbfaaf63 100644
--- a/components/autofill/content/renderer/password_autofill_agent.cc
+++ b/components/autofill/content/renderer/password_autofill_agent.cc
@@ -627,6 +627,7 @@ PasswordAutofillAgent::PasswordAutofillAgent(content::RenderFrame* render_frame)
       was_username_autofilled_(false),
       was_password_autofilled_(false),
       sent_request_to_store_(false),
+      checked_safe_browsing_reputation_(false),
       binding_(this) {
   // PasswordAutofillAgent is guaranteed to outlive |render_frame|.
   render_frame->GetInterfaceRegistry()->AddInterface(
@@ -899,13 +900,15 @@ bool PasswordAutofillAgent::FindPasswordInfoForElement(
 bool PasswordAutofillAgent::ShouldShowNotSecureWarning(
     const blink::WebInputElement& element) {
   // Do not show a warning if the feature is disabled or the context is secure.
-  if (!security_state::IsHttpWarningInFormEnabled() ||
-      content::IsOriginSecure(
-          url::Origin(render_frame()->GetWebFrame()->Top()->GetSecurityOrigin())
-              .GetURL()))
-    return false;
+  return security_state::IsHttpWarningInFormEnabled() &&
+         !content::IsOriginSecure(
+             url::Origin(
+                 render_frame()->GetWebFrame()->Top()->GetSecurityOrigin())
+                 .GetURL());
+}
 
-  // Show the warning on all Password inputs.
+bool PasswordAutofillAgent::IsUsernameOrPasswordField(
+    const blink::WebInputElement& element) {
   // Note: A site may use a Password field to collect a CVV or a Credit Card
   // number, but showing a slightly misleading warning here is better than
   // showing no warning at all.
@@ -946,9 +949,20 @@ bool PasswordAutofillAgent::ShowSuggestions(
 
   if (!FindPasswordInfoForElement(element, &username_element, &password_element,
                                   &password_info)) {
-    if (ShouldShowNotSecureWarning(element)) {
-      autofill_agent_->ShowNotSecureWarning(element);
-      return true;
+    if (IsUsernameOrPasswordField(element)) {
+#if defined(SAFE_BROWSING_DB_LOCAL)
+      if (!checked_safe_browsing_reputation_) {
+        checked_safe_browsing_reputation_ = true;
+        GetPasswordManagerDriver()->CheckSafeBrowsingReputation(
+            element.Form().IsNull()

[dvadym, 2017/04/27 10:46:30]

Are you sure that you need form_action not frame url? Nowadays submissions are
often done with JavaScript and action means nothing. Or you need both.

[Jialiu Lin, 2017/04/28 00:09:08]

Good to know.  I'll add more fields to the CheckSafeBrowsingReputation call.

+                ? GURL()

[dvadym, 2017/04/27 10:46:30]

Probably in case when a form is absent, current url is better option. It's
completely valid when there is no <form> tag

[Jialiu Lin, 2017/04/28 00:09:08]

Changed to pass both the action url and current frame url to the
CheckSafeBrowsingReputation call.  

+                : form_util::GetCanonicalActionForForm(element.Form()));
+      }
+#endif
+      if (ShouldShowNotSecureWarning(element)) {
+        autofill_agent_->ShowNotSecureWarning(element);
+        return true;
+      }
     }
     return false;
   }
@@ -1191,6 +1205,8 @@ void PasswordAutofillAgent::DidCommitProvisionalLoad(
     bool is_same_document_navigation) {
   if (is_same_document_navigation) {
     OnSameDocumentNavigationCompleted();
+  } else {
+    checked_safe_browsing_reputation_ = false;
   }
 }
 
@@ -1597,6 +1613,7 @@ void PasswordAutofillAgent::FrameClosing() {
   provisionally_saved_form_.Reset();
   field_value_and_properties_map_.clear();
   sent_request_to_store_ = false;
+  checked_safe_browsing_reputation_ = false;
 }
 
 void PasswordAutofillAgent::ClearPreview(