This template is ONLY for reporting privacy issues. Please use a different
template for other types of bug reports.

Please see http://www.chromium.org/Home/chromium-privacy for further
information.


PRIVACY ISSUE
The issue is with the Shift+Enter behavior or Chrome on form submit. Consider Gmail accessed via desktop on Chrome (49 or above). Say an oblivious user presses Shift+enter and does not notice. A new window pops up with login progress. However, the parent background Chrome window still has he password filled in. This is a major concern as an oblivious user may logout leave the parent window open. Any "Black hat" can login to user's account in a click. Of course, 2-factor authentication is a possible solution. However, a more tech savvy solution is to "clear" the password field on Shift+Enter. A lot of high-risk sites already employ scripts to achieve this so I believe high-privacy sites such as Gmail should consider he scenario as well.

VERSION:
Chrome Version: Tested on 49.0.2623.112 and 53.0.2785.116
Operating System: Windows 7 and Windows Vista

REPRODUCTION STEPS
1. Open www.gmail.com, or any other single authentication site on Chrome
2. Fill in username and then password
3. Instead of pressing the Enter key, press Shift+Enter (this would be an accidental key press). Given the adjacency of Shift and Enter keys, the scenario is quite common (ask anyone who has used an uppercase letter at the end of their password and they will share their tale of woe).
4. If anything, Google can write an analytical front-end script to get a counter to such scenarios (Just count shift+enter events in which the parent window was never closed). I believe that such scenarios occur more than million times a day.