Implement autocomplete='current-password' and 'new-password'.

components/autofill/content/renderer/password_form_conversion_utils.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/password_form_conversion_utils.h"
 
 #include "base/strings/string_util.h"
 #include "components/autofill/content/renderer/form_autofill_util.h"
 #include "components/autofill/core/common/password_form.h"
 #include "third_party/WebKit/public/platform/WebString.h"
@@ skipping 10 matching lines @@
 
 namespace autofill {
 namespace {
 
 // Maximum number of password fields we will observe before throwing our
 // hands in the air and giving up with a given form.
 static const size_t kMaxPasswords = 3;
 
 // Checks in a case-insensitive way if the autocomplete attribute for the given
 // |element| is present and has the specified |value_in_lowercase|.
-bool HasAutocompleteAttributeValue(const WebInputElement* element,
+bool HasAutocompleteAttributeValue(const WebInputElement& element,
                                    const char* value_in_lowercase) {
-  return LowerCaseEqualsASCII(element->getAttribute("autocomplete"),
+  return LowerCaseEqualsASCII(element.getAttribute("autocomplete"),
                               value_in_lowercase);
 }
 
 // Helper to determine which password is the main (current) one, and which is
 // the new password (e.g., on a sign-up or change password form), if any.
 bool LocateSpecificPasswords(std::vector<WebInputElement> passwords,
-                             WebInputElement* password,
+                             WebInputElement* current_password,
                              WebInputElement* new_password) {
+  DCHECK(current_password && current_password->isNull());
+  DCHECK(new_password && new_password->isNull());
+
+  // First, look for elements marked with either autocomplete='current-password'
+  // or 'new-password' -- if we find any, take the hint, and treat the first of
+  // each kind as the element we are looking for.
+  for (std::vector<WebInputElement>::const_iterator it = passwords.begin();
+       it != passwords.end(); it++) {
+    if (HasAutocompleteAttributeValue(*it, "current-password") &&
+        current_password->isNull()) {
+      *current_password = *it;
+    } else if (HasAutocompleteAttributeValue(*it, "new-password") &&
+        new_password->isNull()) {
+      *new_password = *it;
+    }
+  }
+
+  // If we have seen an element with either of autocomplete attributes above,
+  // take that as a signal that the page author must have intentionally left the
+  // rest of the password fields unmarked. Perhaps they are used for other
+  // purposes, e.g., PINs, OTPs, and the like. So we skip all the heuristics we
+  // normally do, and ignore the rest of the password fields.
+  if (!current_password->isNull() || !new_password->isNull())
+    return true;
+
   switch (passwords.size()) {
     case 1:
       // Single password, easy.
-      *password = passwords[0];
+      *current_password = passwords[0];
       break;
     case 2:
       if (passwords[0].value() == passwords[1].value()) {
         // Two identical passwords: assume we are seeing a new password with a
         // confirmation. This can be either a sign-up form or a password change
         // form that does not ask for the old password.
         *new_password = passwords[0];
       } else {
         // Assume first is old password, second is new (no choice but to guess).
-        *password = passwords[0];
+        *current_password = passwords[0];
         *new_password = passwords[1];
       }
       break;
     case 3:
       if (!passwords[0].value().isEmpty() &&
           passwords[0].value() == passwords[1].value() &&
           passwords[0].value() == passwords[2].value()) {
         // All three passwords are the same and non-empty? This does not make
         // any sense, give up.
         return false;
       } else if (passwords[1].value() == passwords[2].value()) {
         // New password is the duplicated one, and comes second; or empty form
         // with 3 password fields, in which case we will assume this layout.
-        *password = passwords[0];
+        *current_password = passwords[0];
         *new_password = passwords[1];
       } else if (passwords[0].value() == passwords[1].value()) {
         // It is strange that the new password comes first, but trust more which
         // fields are duplicated than the ordering of fields.
-        *password = passwords[2];
+        *current_password = passwords[2];
         *new_password = passwords[0];
       } else {
         // Three different passwords, or first and last match with middle
         // different. No idea which is which, so no luck.
         return false;
       }
       break;
     default:
       return false;
   }
@@ skipping 36 matching lines @@
           DCHECK(!other_possible_usernames.empty());
           DCHECK_EQ(base::string16(latest_input_element.value()),
                     other_possible_usernames.back());
           other_possible_usernames.pop_back();
         }
       }
     }
 
     // Various input types such as text, url, email can be a username field.
     if (input_element->isTextField() && !input_element->isPasswordField()) {
-      if (HasAutocompleteAttributeValue(input_element, "username")) {
+      if (HasAutocompleteAttributeValue(*input_element, "username")) {
         if (has_seen_element_with_autocomplete_username_before) {
           // A second or subsequent element marked with autocomplete='username'.
           // This makes us less confident that we have understood the form. We
           // will stick to our choice that the first such element was the real
           // username, but will start collecting other_possible_usernames from
           // the extra elements marked with autocomplete='username'. Note that
           // unlike username_element, other_possible_usernames is used only for
           // autofill, not for form identification, and blank autofill entries
           // are not useful, so we do not collect empty strings.
           if (!input_element->value().isEmpty())
@@ skipping 97 matching lines @@
                            blink::WebFormControlElement(),
                            REQUIRE_NONE,
                            EXTRACT_NONE,
                            &password_form->form_data,
                            NULL /* FormFieldData */);
 
   return password_form.Pass();
 }
 
 }  // namespace autofill