Password autofill should not override explicitly typed password

components/autofill/content/renderer/password_autofill_agent.h

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #ifndef COMPONENTS_AUTOFILL_CONTENT_RENDERER_PASSWORD_AUTOFILL_AGENT_H_
 #define COMPONENTS_AUTOFILL_CONTENT_RENDERER_PASSWORD_AUTOFILL_AGENT_H_
 
 #include <map>
+#include <set>
 #include <vector>
 
 #include "base/memory/linked_ptr.h"
 #include "base/memory/weak_ptr.h"
 #include "components/autofill/core/common/password_form_fill_data.h"
 #include "content/public/renderer/render_view_observer.h"
 #include "third_party/WebKit/public/web/WebInputElement.h"
 
 namespace blink {
 class WebInputElement;
@@ skipping 68 matching lines @@
   // Ways to restrict which passwords are saved in ProvisionallySavePassword.
   enum ProvisionallySaveRestriction {
     RESTRICTION_NONE,
     RESTRICTION_NON_EMPTY_PASSWORD
   };
 
   struct PasswordInfo {
     blink::WebInputElement password_field;
     PasswordFormFillData fill_data;
     bool backspace_pressed_last;
-    PasswordInfo() : backspace_pressed_last(false) {}
+    // "Wait for username change" before overwriting the password value -- if
+    // set to true, this flag means that after selecting a username for password
+    // autofill, the user overwrote the autofileld password. The agent should
+    // not restore it back to the autofilled password, so it holds on with
+    // changing the password value until the flag is reset. The flag is reset
+    // when the user chooses another username for autofill.
+    bool wait_for_username_change;
+    PasswordInfo();
   };
-  typedef std::map<blink::WebElement, PasswordInfo> LoginToPasswordInfoMap;
+  // LoginToPasswordInfoMap contains pointers to instead of values of type
+  // PasswordInfo, because the addresses of the values are passed to a
+  // PasswordValueGatekeeper instance, and need therefore remain constant for
+  // the lifetime of the values.
+  typedef std::map<blink::WebElement, PasswordInfo*> LoginToPasswordInfoMap;
+  typedef std::map<blink::WebElement, blink::WebElement> PasswordToLoginMap;
   typedef std::map<blink::WebFrame*,
                    linked_ptr<PasswordForm> > FrameToPasswordFormMap;
 
-  // This class holds a vector of autofilled password input elements and makes
-  // sure the autofilled password value is not accessible to JavaScript code
-  // until the user interacts with the page.
+  // This class keeps track of autofilled password input elements and makes sure
+  // the autofilled password value is not accessible to JavaScript code until
+  // the user interacts with the page.
   class PasswordValueGatekeeper {
    public:
     PasswordValueGatekeeper();
     ~PasswordValueGatekeeper();
 
-    // Call this for every autofilled password field, so that the gatekeeper
-    // protects the value accordingly.
-    void RegisterElement(blink::WebInputElement* element);
+    // Register |element_info| for every autofilled password field, so that the
+    // gatekeeper protects the value accordingly. Ownership of |element_info|
+    // remains with the caller, and the caller must unregister it via
+    // UnregisterElementInfo or Reset prior to destruction of |element_info|.
+    // The caller also must ensure that the object pointed to by |element_info|
+    // does not change address.
+    void RegisterElementInfo(PasswordInfo* element_info);
+    // Remove |element_info| from the internal map. It is OK to call
+    // UnregisterElementInfo for pointers not contained in the internal map,
+    // because the gatekeeper may choose to not include, or later exclude,
+    // registered pointers at its own discretion.
+    void UnregisterElementInfo(PasswordInfo* element_info);
 
     // Call this to notify the gatekeeper that the user interacted with the
     // page.
     void OnUserGesture();
 
     // Call this to reset the gatekeeper on a new page navigation.
     void Reset();
 
    private:
     // Make the value of |element| accessible to JavaScript code.
     void ShowValue(blink::WebInputElement* element);
 
     bool was_user_gesture_seen_;
-    std::vector<blink::WebInputElement> elements_;
+    // Weak pointers to the PasswordInfo data associated with the guarded
+    // password elements. The Gatekeeper assumes those objects are alive until
+    // they are unregistered.
+    std::set<PasswordInfo*> elements_info_;
 
     DISALLOW_COPY_AND_ASSIGN(PasswordValueGatekeeper);
   };
 
   // RenderViewObserver:
   virtual bool OnMessageReceived(const IPC::Message& message) OVERRIDE;
   virtual void DidStartProvisionalLoad(blink::WebLocalFrame* frame) OVERRIDE;
   virtual void DidStartLoading() OVERRIDE;
   virtual void DidFinishDocumentLoad(blink::WebLocalFrame* frame) OVERRIDE;
   virtual void DidFinishLoad(blink::WebLocalFrame* frame) OVERRIDE;
@@ skipping 16 matching lines @@
   void GetSuggestions(const PasswordFormFillData& fill_data,
                       const base::string16& input,
                       std::vector<base::string16>* suggestions,
                       std::vector<base::string16>* realms,
                       bool show_all);
 
   bool ShowSuggestionPopup(const PasswordFormFillData& fill_data,
                            const blink::WebInputElement& user_input,
                            bool show_all);
 
-  // Attempts to fill |username_element| and |password_element| with the
-  // |fill_data|.  Will use the data corresponding to the preferred username,
-  // unless the |username_element| already has a value set.  In that case,
-  // attempts to fill the password matching the already filled username, if
-  // such a password exists.
-  void FillFormOnPasswordRecieved(const PasswordFormFillData& fill_data,
-                                  blink::WebInputElement username_element,
-                                  blink::WebInputElement password_element);
+  // Attempts to fill |username_element| and the corresponding password field
+  // with |password_info|.  Will use the data corresponding to the preferred
+  // username, unless the username element already has a value set.  In that
+  // case, attempts to fill the password matching the already filled username,
+  // if such a password exists.
+  void FillFormOnPasswordRecieved(blink::WebInputElement* username_element,
+                                  PasswordInfo* password_info);
 
   bool FillUserNameAndPassword(blink::WebInputElement* username_element,
-                               blink::WebInputElement* password_element,
-                               const PasswordFormFillData& fill_data,
+                               PasswordInfo* password_info,
                                bool exact_username_match,
                                bool set_selection);
 
-  // Fills |login_input| and |password| with the most relevant suggestion from
-  // |fill_data| and shows a popup with other suggestions.
-  void PerformInlineAutocomplete(
-      const blink::WebInputElement& username,
-      const blink::WebInputElement& password,
-      const PasswordFormFillData& fill_data);
+  // Fills |username| and corresponding password field with the most relevant
+  // suggestion from |password_info| and shows a popup with other suggestions.
+  void PerformInlineAutocomplete(blink::WebInputElement* username,
+                                 PasswordInfo* password_info);
 
   // Invoked when the passed frame is closing.  Gives us a chance to clear any
   // reference we may have to elements in that frame.
   void FrameClosing(const blink::WebFrame* frame);
 
   // Finds login information for a |node| that was previously filled.
   bool FindLoginInfo(const blink::WebNode& node,
                      blink::WebInputElement* found_input,
-                     PasswordInfo* found_password);
+                     PasswordInfo** found_password);
 
   // Clears the preview for the username and password fields, restoring both to
   // their previous filled state.
   void ClearPreview(blink::WebInputElement* username,
                     blink::WebInputElement* password);
 
   // If |provisionally_saved_forms_| contains a form for |current_frame| or its
   // children, return such frame.
   blink::WebFrame* CurrentOrChildFrameWithSavedForms(
       const blink::WebFrame* current_frame);
 
   // Extracts a PasswordForm from |form| and saves it as
   // |provisionally_saved_forms_[frame]|, as long as it satisfies |restriction|.
   void ProvisionallySavePassword(blink::WebLocalFrame* frame,
                                  const blink::WebFormElement& form,
                                  ProvisionallySaveRestriction restriction);
 
   // The logins we have filled so far with their associated info.
   LoginToPasswordInfoMap login_to_password_info_;
+  // Stores the PasswordInfo objects pointed to by |login_to_password_info_|,
+  // grouped by frames for easy deletion on frame destruction.
+  std::map<const blink::WebFrame*, std::vector<linked_ptr<PasswordInfo> > >
+      password_infos_;
+  // Maps password elements to the corresponding username elements, good for
+  // looking up PasswordInfo associated with a password element in
+  // |login_to_password_info_|.
+  PasswordToLoginMap password_to_username_;
 
   // Used for UMA stats.
   OtherPossibleUsernamesUsage usernames_usage_;
 
   // Pointer to the WebView. Used to access page scale factor.
   blink::WebView* web_view_;
 
   // Set if the user might be submitting a password form on the current page,
   // but the submit may still fail (i.e. doesn't pass JavaScript validation).
   FrameToPasswordFormMap provisionally_saved_forms_;
@@ skipping 16 matching lines @@
   bool did_stop_loading_;
 
   base::WeakPtrFactory<PasswordAutofillAgent> weak_ptr_factory_;
 
   DISALLOW_COPY_AND_ASSIGN(PasswordAutofillAgent);
 };
 
 }  // namespace autofill
 
 #endif  // COMPONENTS_AUTOFILL_CONTENT_RENDERER_PASSWORD_AUTOFILL_AGENT_H_