[Password Manager] Disable password manager for password website reauth

chrome/browser/password_manager/chrome_password_manager_client_unittest.cc

 // Copyright 2014 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/command_line.h"
 
 #include "chrome/browser/password_manager/chrome_password_manager_client.h"
 
 #include "chrome/common/chrome_version_info.h"
 #include "chrome/test/base/chrome_render_view_host_test_harness.h"
@@ skipping 248 matching lines @@
 
   // Adding disallow switch should cause sync credential to be filtered.
   CommandLine* command_line = CommandLine::ForCurrentProcess();
   command_line->AppendSwitch(
       password_manager::switches::kDisallowAutofillSyncCredential);
   client.reset(new TestChromePasswordManagerClient(web_contents()));
   client->set_is_sync_account_credential(true);
   NavigateAndCommit(GURL("https://accounts.google.com/Login"));
   EXPECT_TRUE(client->ShouldFilterAutofillResult(form));
 }
+
+TEST_F(ChromePasswordManagerClientTest,
+       IsPasswordManagerEnabledForCurrentPage) {
+  ChromePasswordManagerClient* client = GetClient();
+  NavigateAndCommit(
+      GURL("https://accounts.google.com/ServiceLogin?continue="
+           "https://passwords.google.com/settings&rart=123"));
+  EXPECT_FALSE(client->IsPasswordManagerEnabledForCurrentPage());
+
+  // Password site is inaccesible via HTTP, but because of HSTS the following
+  // link should still continue to https://passwords.google.com.
+  NavigateAndCommit(
+      GURL("https://accounts.google.com/ServiceLogin?continue="
+           "http://passwords.google.com/settings&rart=123"));
+  EXPECT_FALSE(client->IsPasswordManagerEnabledForCurrentPage());
+
+  // Specifying default port still passes.
+  NavigateAndCommit(
+      GURL("https://accounts.google.com/ServiceLogin?continue="
+           "https://passwords.google.com:443/settings&rart=123"));
+  EXPECT_FALSE(client->IsPasswordManagerEnabledForCurrentPage());
+
+  // Encoded URL is considered the same.
+  NavigateAndCommit(
+      GURL("https://accounts.google.com/ServiceLogin?continue="
+           "https://passwords.%67oogle.com/settings&rart=123"));
+  EXPECT_FALSE(client->IsPasswordManagerEnabledForCurrentPage());
+
+  // Fully qualified domain name is considered a different hostname by GURL.
+  // Ideally this would not be the case, but this quirk can be avoided by
+  // verification on the server. This test is simply documentation of this
+  // behavior.
+  NavigateAndCommit(
+      GURL("https://accounts.google.com/ServiceLogin?continue="
+           "https://passwords.google.com./settings&rart=123"));
+  EXPECT_TRUE(client->IsPasswordManagerEnabledForCurrentPage());

[Ilya Sherman, 2014/08/26 01:46:08]

Wat.  Can you check with the GURL maintainers whether this is WAI?

[Garrett Casto, 2014/08/26 18:27:58]

Sure, I'll follow up with Brett. My guess is that the issue is that this
particular hostname is functionally identical because "com" is a TLD, but int
the general case these could be different. I also don't know enough about DNS to
know for certain that even these hostnames are always equivalent (could your
local DNS override/intercept certain hostnames?).

+
+  // Not a transactional reauth page.
+  NavigateAndCommit(
+      GURL("https://accounts.google.com/ServiceLogin?continue="
+           "https://passwords.google.com/settings"));
+  EXPECT_TRUE(client->IsPasswordManagerEnabledForCurrentPage());
+
+  // Should be enabled for other transactional reauth pages.
+  NavigateAndCommit(
+      GURL("https://accounts.google.com/ServiceLogin?continue="
+           "https://mail.google.com&rart=234"));
+  EXPECT_TRUE(client->IsPasswordManagerEnabledForCurrentPage());
+
+  // Reauth pages are only on accounts.google.com
+  NavigateAndCommit(
+      GURL("https://other.site.com/ServiceLogin?continue="
+           "https://passwords.google.com&rart=234"));
+  EXPECT_TRUE(client->IsPasswordManagerEnabledForCurrentPage());
+}