Password autofill should not override explicitly typed password

components/autofill/content/renderer/password_autofill_agent.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "components/autofill/content/renderer/password_autofill_agent.h"
 
 #include "base/bind.h"
 #include "base/memory/scoped_ptr.h"
 #include "base/message_loop/message_loop.h"
 #include "base/metrics/histogram.h"
@@ skipping 255 matching lines @@
   elements_.clear();
 }
 
 void PasswordAutofillAgent::PasswordValueGatekeeper::Reset() {
   was_user_gesture_seen_ = false;
   elements_.clear();
 }
 
 void PasswordAutofillAgent::PasswordValueGatekeeper::ShowValue(
     blink::WebInputElement* element) {
-  if (!element->isNull() && !element->suggestedValue().isNull())
+  if (!element->isNull() && element->value().isNull() &&

[engedy, 2014/07/29 17:47:56]

Could you please double-check that we first erase any previously auto-filled
passwords in cases where the new one gets auto-filled through the gatekeeper?

I think TextFieldDidEndEditing() will need to be updated, but I am not entire
sure there are not more places.

[vabr (Chromium), 2014/07/30 16:46:58]

Great catch. Indeed, I broke this. It should be now fixed and I added a test for
that.

+      !element->suggestedValue().isNull()) {
     element->setValue(element->suggestedValue(), true);
+    element->setSuggestedValue(blink::WebString());

[vabr (Chromium), 2014/07/30 16:46:58]

I just discovered that setValue clears the suggested value, so I'm dropping this
line again.

+  }
 }
 
 bool PasswordAutofillAgent::TextFieldDidEndEditing(
     const blink::WebInputElement& element) {
   LoginToPasswordInfoMap::const_iterator iter =
       login_to_password_info_.find(element);
   if (iter == login_to_password_info_.end())
     return false;
 
   const PasswordFormFillData& fill_data = iter->second.fill_data;
 
   // If wait_for_username is false, we should have filled when the text changed.
   if (!fill_data.wait_for_username)
     return false;
 
   blink::WebInputElement password = iter->second.password_field;
   if (!IsElementEditable(password))
     return false;
 
   blink::WebInputElement username = element;  // We need a non-const.
 
+  // Don't let autofill overwrite an explicit change made by the user.
+  if (iter->second.user_changed_password_more_recently_than_username)

[engedy, 2014/07/29 17:47:56]

I have put some more though into this, I *think* the ideal behavior *for me*
would be the following:

After the user overrides the password (we check that it actually ends up being
different), we essentially fall back into "wait_for_username" mode, and a bit
more. More precisely, we only re-fill the password field when:
 1.) The user selects a username suggestion from the drop-down, a username that
is not the one that corresponds to the edited password.
 2.) The user edits the username, and ends editing in the text field, leaving a
username there for which we have a password stored, and that is not the username
that corresponds to the edited password.

WDYT?

[vabr (Chromium), 2014/07/30 16:46:59]

Your semantics sounds reasonable to me. I tried to accommodate it. The missing
piece seemed to be handling FillSuggestion calls from AutofillAgent.

One piece of clarification:
If the user does:
1) autofill credentials for username/password
2) edits password
3) edits username to something which is not among suggestions
4) edits username again, making it a prefix of the username of step 1), and
triggering the inline autocomplete for that

then I consider it fair to overwrite the password with the suggestion again. Do
you agree?

+    return false;
+
   // Do not set selection when ending an editing session, otherwise it can
   // mess with focus.
   FillUserNameAndPassword(&username,
                           &password,
                           fill_data,
                           true /* exact_username_match */,
                           false /* set_selection */);
   return true;
 }
 
 bool PasswordAutofillAgent::TextDidChangeInTextField(
     const blink::WebInputElement& element) {
+  // TODO(vabr): Get a mutable argument instead. http://crbug.com/397083
+  blink::WebInputElement mutable_element = element;  // We need a non-const.
+
+  if (element.isPasswordField()) {
+    PasswordToLoginMap::iterator iter = password_to_username_.find(element);
+    if (iter != password_to_username_.end()) {
+      login_to_password_info_[iter->second]
+          .user_changed_password_more_recently_than_username = true;
+      mutable_element.setAutofilled(false);
+    }
+    return false;
+  }
+
   LoginToPasswordInfoMap::const_iterator iter =
       login_to_password_info_.find(element);
   if (iter == login_to_password_info_.end())
     return false;
 
   // The input text is being changed, so any autofilled password is now
   // outdated.
-  blink::WebInputElement username = element;  // We need a non-const.
-  username.setAutofilled(false);
+  mutable_element.setAutofilled(false);
+  login_to_password_info_[element]
+      .user_changed_password_more_recently_than_username = false;
 
   blink::WebInputElement password = iter->second.password_field;
   if (password.isAutofilled()) {
     password.setValue(base::string16(), true);
     password.setAutofilled(false);
   }
 
   // If wait_for_username is true we will fill when the username loses focus.
   if (iter->second.fill_data.wait_for_username)
     return false;
 
   if (!element.isText() || !IsElementAutocompletable(element) ||
       !IsElementAutocompletable(password)) {
     return false;
   }
 
   // Don't inline autocomplete if the user is deleting, that would be confusing.
   // But refresh the popup.  Note, since this is ours, return true to signal
   // no further processing is required.
   if (iter->second.backspace_pressed_last) {
-    ShowSuggestionPopup(iter->second.fill_data, username, false);
+    ShowSuggestionPopup(iter->second.fill_data, element, false);
     return true;
   }
 
   blink::WebString name = element.nameForAutofill();
   if (name.isEmpty())
     return false;  // If the field has no name, then we won't have values.
 
   // Don't attempt to autofill with values that are too large.
   if (element.value().length() > kMaximumTextSizeForAutocomplete)
     return false;
 
+  // Don't let autofill overwrite an explicit change made by the user.
+  if (iter->second.user_changed_password_more_recently_than_username)
+    return false;
+
   // The caret position should have already been updated.
   PerformInlineAutocomplete(element, password, iter->second.fill_data);
   return true;
 }
 
 bool PasswordAutofillAgent::TextFieldHandlingKeyDown(
     const blink::WebInputElement& element,
     const blink::WebKeyboardEvent& event) {
   // If using the new Autofill UI that lives in the browser, it will handle
   // keypresses before this function. This is not currently an issue but if
@@ skipping 421 matching lines @@
     // We might have already filled this form if there are two <form> elements
     // with identical markup.
     if (login_to_password_info_.find(username_element) !=
         login_to_password_info_.end())
       continue;
 
     PasswordInfo password_info;
     password_info.fill_data = form_data;
     password_info.password_field = password_element;
     login_to_password_info_[username_element] = password_info;
+    password_to_username_[password_element] = username_element;
 
     FormData form;
     FormFieldData field;
     FindFormAndFieldForFormControlElement(
         username_element, &form, &field, REQUIRE_NONE);
     Send(new AutofillHostMsg_AddPasswordFormMapping(
         routing_id(), field, form_data));
   }
 }
 
 void PasswordAutofillAgent::OnSetLoggingState(bool active) {
   logging_state_active_ = active;
 }
 
 ////////////////////////////////////////////////////////////////////////////////
 // PasswordAutofillAgent, private:
 
+PasswordAutofillAgent::PasswordInfo::PasswordInfo()
+    : backspace_pressed_last(false),
+      user_changed_password_more_recently_than_username(false) {
+}
+
 void PasswordAutofillAgent::GetSuggestions(
     const PasswordFormFillData& fill_data,
     const base::string16& input,
     std::vector<base::string16>* suggestions,
     std::vector<base::string16>* realms,
     bool show_all) {
   if (show_all ||
       StartsWith(fill_data.basic_data.fields[0].value, input, false)) {
     suggestions->push_back(fill_data.basic_data.fields[0].value);
     realms->push_back(base::UTF8ToUTF16(fill_data.preferred_realm));
@@ skipping 207 matching lines @@
                           &password,
                           fill_data,
                           false /* exact_username_match */,
                           true /* set_selection */);
 #endif
 }
 
 void PasswordAutofillAgent::FrameClosing(const blink::WebFrame* frame) {
   for (LoginToPasswordInfoMap::iterator iter = login_to_password_info_.begin();
        iter != login_to_password_info_.end();) {
-    if (iter->first.document().frame() == frame)
+    if (iter->first.document().frame() == frame) {
+      password_to_username_.erase(iter->second.password_field);
       login_to_password_info_.erase(iter++);
-    else
+    } else {
       ++iter;
+    }
   }
   for (FrameToPasswordFormMap::iterator iter =
            provisionally_saved_forms_.begin();
        iter != provisionally_saved_forms_.end();) {
     if (iter->first == frame)
       provisionally_saved_forms_.erase(iter++);
     else
       ++iter;
   }
 }
@@ skipping 27 matching lines @@
     username->setSelectionRange(username_selection_start_,
                                 username->value().length());
   }
   if (!password->suggestedValue().isEmpty()) {
       password->setSuggestedValue(blink::WebString());
       password->setAutofilled(was_password_autofilled_);
   }
 }
 
 }  // namespace autofill