[Password Manager] Make filling robust against changing url by JavaScript

components/autofill/content/renderer/password_autofill_agent.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/password_autofill_agent.h"
 
 #include <stddef.h>
 
 #include <memory>
 #include <string>
@@ skipping 237 matching lines @@
 
 // Helper to locate form elements identified by |data|.
 void FindFormElements(content::RenderFrame* render_frame,
                       const PasswordFormFillData& data,
                       bool ambiguous_or_empty_names,
                       FormElementsList* results) {
   DCHECK(results);
 
   blink::WebDocument doc = render_frame->GetWebFrame()->GetDocument();
 
-  if (data.origin != form_util::GetCanonicalOriginForDocument(doc))
+  if (GetSignOnRealm(data.origin) !=
+      GetSignOnRealm(form_util::GetCanonicalOriginForDocument(doc)))
     return;
 
   blink::WebVector<blink::WebFormElement> forms;
   doc.Forms(forms);
 
   for (size_t i = 0; i < forms.size(); ++i) {
     blink::WebFormElement fe = forms[i];
 
     // Action URL must match.
     if (data.action != form_util::GetCanonicalActionForForm(fe))
       continue;
 
     std::vector<blink::WebFormControlElement> control_elements =
         form_util::ExtractAutofillableElementsInForm(fe);
     FormInputElementMap cur_map;
     if (FindFormInputElements(control_elements, data, ambiguous_or_empty_names,
                               &cur_map))
       results->push_back(cur_map);
   }
   // If the element to be filled are not in a <form> element, the "action" and
   // origin should be the same.
   if (data.action != data.origin)

[kolos1, 2017/05/18 09:52:52]

Shall we do similar change here?

[dvadym, 2017/05/18 11:08:52]

This is a different case. This condition has nothing to do with current page,
it's only about |data|, and |data| contains information that was on load.

[kolos1, 2017/05/18 11:11:50]

Acknowledged.

     return;
 
   std::vector<blink::WebFormControlElement> control_elements =
       form_util::GetUnownedAutofillableFormFieldElements(doc.All(), nullptr);
   FormInputElementMap unowned_elements_map;
   if (FindFormInputElements(control_elements, data, ambiguous_or_empty_names,
                             &unowned_elements_map))
     results->push_back(unowned_elements_map);
 }
 
@@ skipping 922 matching lines @@
     // If there is a password field, but the list of password forms is empty for
     // some reason, add a dummy form to the list. It will cause a request to the
     // store. Therefore, saved passwords will be available for filling on click.
     if (!sent_request_to_store_ && password_forms.empty() &&
         HasPasswordField(*frame)) {
       // Set everything that |FormDigest| needs.
       password_forms.push_back(PasswordForm());
       password_forms.back().scheme = PasswordForm::SCHEME_HTML;
       password_forms.back().origin =
           form_util::GetCanonicalOriginForDocument(frame->GetDocument());
-      GURL::Replacements rep;
-      rep.SetPathStr("");
       password_forms.back().signon_realm =
-          password_forms.back().origin.ReplaceComponents(rep).spec();
+          GetSignOnRealm(password_forms.back().origin);
       sent_request_to_store_ = true;
     }
     if (!password_forms.empty())
       GetPasswordManagerDriver()->PasswordFormsParsed(password_forms);
   }
 }
 
 void PasswordAutofillAgent::DidFinishDocumentLoad() {
   // The |frame| contents have been parsed, but not yet rendered.  Let the
   // PasswordManager know that forms are loaded, even though we can't yet tell
@@ skipping 487 matching lines @@
 PasswordAutofillAgent::GetPasswordManagerDriver() {
   if (!password_manager_driver_) {
     render_frame()->GetRemoteInterfaces()->GetInterface(
         mojo::MakeRequest(&password_manager_driver_));
   }
 
   return password_manager_driver_;
 }
 
 }  // namespace autofill