Expose passwords to JavaScript in Credential Manager API

third_party/WebKit/Source/modules/credentialmanager/PasswordCredential.cpp

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "modules/credentialmanager/PasswordCredential.h"
 
 #include "bindings/core/v8/Dictionary.h"
 #include "bindings/core/v8/ExceptionState.h"
 #include "core/HTMLNames.h"
 #include "core/dom/ExecutionContext.h"
 #include "core/dom/URLSearchParams.h"
 #include "core/html/FormData.h"
 #include "core/html/HTMLFormElement.h"
 #include "core/html/ListedElement.h"
 #include "modules/credentialmanager/FormDataOptions.h"
 #include "modules/credentialmanager/PasswordCredentialData.h"
+#include "platform/RuntimeEnabledFeatures.h"
 #include "platform/credentialmanager/PlatformPasswordCredential.h"
 #include "platform/weborigin/SecurityOrigin.h"
 #include "public/platform/WebCredential.h"
 #include "public/platform/WebPasswordCredential.h"
 
 namespace blink {
 
 PasswordCredential* PasswordCredential::Create(
     WebPasswordCredential* web_password_credential) {
   return new PasswordCredential(web_password_credential);
@@ skipping 98 matching lines @@
 
 PasswordCredential::PasswordCredential(const String& id,
                                        const String& password,
                                        const String& name,
                                        const KURL& icon)
     : CredentialUserData(
           PlatformPasswordCredential::Create(id, password, name, icon)),
       id_name_("username"),
       password_name_("password") {}
 
+const String& PasswordCredential::password() const {
+  return RuntimeEnabledFeatures::passwordCredentialPasswordEnabled()

[Mike West, 2017/05/16 09:30:45]

I think you can safely change this to:

```
return
static_cast<PlatformPasswordCredential*>(platform_credential_.Get())->Password();
```

as the guard you put into the IDL file will prevent it from being called from
the web if it's not meant to be available.

(That is, you can just rename and move the existing `Password()` method)

[jdoerrie, 2017/05/17 15:39:22]

Done.

+             ? static_cast<PlatformPasswordCredential*>(
+                   platform_credential_.Get())
+                   ->Password()
+             : empty_password_;
+}
+
 PassRefPtr<EncodedFormData> PasswordCredential::EncodeFormData(
     String& content_type) const {
   if (additional_data_.isURLSearchParams()) {
     // If |additionalData| is a 'URLSearchParams' object, build a urlencoded
     // response.
     URLSearchParams* params = URLSearchParams::Create(String());
     URLSearchParams* additional_data = additional_data_.getAsURLSearchParams();
     for (const auto& param : additional_data->Params()) {
       const String& name = param.first;
       if (name != idName() && name != passwordName())
         params->append(name, param.second);
     }
     params->append(idName(), id());
-    params->append(passwordName(), Password());
+    params->append(passwordName(), password());

[Mike West, 2017/05/16 09:30:45]

I don't think this is going to work, as the current code will prevent the
password from being sent out via `fetch()` unless the runtime flag is set. Doing
the change above should make this work again.

[jdoerrie, 2017/05/17 15:39:22]

Acknowledged.

 
     content_type =
         AtomicString("application/x-www-form-urlencoded;charset=UTF-8");
 
     return params->ToEncodedFormData();
   }
 
   // Otherwise, we'll build a multipart response.
   FormData* form_data = FormData::Create(nullptr);
   if (additional_data_.isFormData()) {
     FormData* additional_data = additional_data_.getAsFormData();
     for (const FormData::Entry* entry : additional_data->Entries()) {
       const String& name = form_data->Decode(entry->name());
       if (name == idName() || name == passwordName())
         continue;
 
       if (entry->GetBlob())
         form_data->append(name, entry->GetBlob(), entry->Filename());
       else
         form_data->append(name, form_data->Decode(entry->Value()));
     }
   }
   form_data->append(idName(), id());
-  form_data->append(passwordName(), Password());
+  form_data->append(passwordName(), password());
 
   RefPtr<EncodedFormData> encoded_data = form_data->EncodeMultiPartFormData();
   content_type = AtomicString("multipart/form-data; boundary=") +
                  encoded_data->Boundary().data();
   return encoded_data.Release();
 }
 
-const String& PasswordCredential::Password() const {
-  return static_cast<PlatformPasswordCredential*>(platform_credential_.Get())
-      ->Password();
-}
-
 DEFINE_TRACE(PasswordCredential) {
   CredentialUserData::Trace(visitor);
   visitor->Trace(additional_data_);
 }
 
 }  // namespace blink